Persistent XSS in Metadata field
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
manila-ui |
Fix Released
|
Critical
|
Valeriy Ponomaryov |
Bug Description
The Metadata field in the "Create Share" form allows users to inject malicious HTML/JavaScript code that will be reflected in the "Shares" overview. I guess the issue comes from a mark_safe() call on the user supplied metadata [1].
It should be noted that unprivileged users can exploit this vulnerability. This could lead to a privilege escalation by e.g. stealing session tokens of higher privileged users (e.g. admins).
Due to the size limitation of metadata strings the malicious payload needs to be split over multiple keys. In order to reproduce this issue, in Horizon, go to Project -> Compute -> Shares -> Create Share. In the Metadata field, add the following payload:
a=<script>
b=*/<script>
As soon as the share is created, the payload reflects in the browser. It will also be reflected each time the Shares list will be loaded (e.g. by clicking on Project -> Compute -> Shares).
CVE References
Changed in manila-ui: | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Attached patch with fix to comment. Please, try it out.