Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Alfresco Stored XSS Vulnerability

Blind Stored XSS in Alfresco Enterprise 5.2.4

Description:

Alfresco allows users to upload documents that are being saved in the alfresco portal, an attacker can upload a .html with malicious JavaScript which then executes on the Alfresco portal. During the assessment, we were able to execute blind stored cross-site scripting on the Alfresco portal which contains sensitive documents.

Risk:

A remote attacker can steal the victim’s credentials by sending a keylogger JavaScript. Also, phishing attacks can be performed by changing the content in the .html file which is being executed in the browser. This allows an attacker to perform any action in Alfresco as the logged-in user. Additionally, the following attack scenarios are possible:

• By showing a new login screen the user’s credentials can be hijacked.

• By adding JavaScript an attacker can redirect a victim to malicious websites.

Below is the POC for the Stored Cross-site scripting:

  1. Malicious HTML file uploaded by a remote attacker in the Alfresco portal:

Image of Alfresco

  1. Cross-site scripting (XSS) is triggered in the Alfresco portal as the victim clicks on "view in browser" tab.

Image of Alfresco

  1. Another example of a phishing page by modifying the content in the HTML page.

Image of Alfresco

Thank you for reading!