logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-pf56-h9qf-rxq4 @saltcorn/server

Package

Manager: npm
Name: @saltcorn/server
Vulnerable Version: >=0 <1.0.0-beta.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page ### Summary Event log data is not properly sanitized leading to stored Cross-Site Scripting (XSS) vulnerability. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/eventlog.js#L445 ```js router.get( "/:id", isAdmin, error_catcher(async (req, res) => { const { id } = req.params; const ev = await EventLog.findOneWithUser(id); send_events_page({ [...] contents: { type: "card", contents: [...] ) + div( { class: "eventpayload" }, ev.payload ? pre(JSON.stringify(ev.payload, null, 2)) : "" //<--- ), }, }); }) ``` ### PoC The following PoC demonstrates how a non-admin user with permission to read/write on a table can inject malicious javascript code that will be executed in the event log admin panel if event logs are enabled. To demonstrate this issue, we need to prepare some components. The following steps should be executed with an admin user. 1. create a table with one column of type string set read/write permission to staff users (just as an example) - visit `http://localhost:3000/table/new` - create a table with `Table name` `my_table_xss` and click `Create` - click `Add field` to add a field with `Label` called `payload` of type `String` and click `Next >>` - leave default values for `Attributes` and click `Next >>` - it should redirect to `http://localhost:3000/table/<table-number>` - under `Edit table properties`, set `Minimum role to read` and `Minimum role to write` to `staff` 2. create an edit view so that staff users can insert more data - visit `http://localhost:3000/viewedit` anc click `Create View` - set the following values: - `View name`: `my_xss_view` - `View pattern`: `Edit` - `Table`: `my_table_xss` - `Minimum role`: `staff` - click `Configure >>` - on page `http://localhost:3000/viewedit/config/my_xss_view` click `Next >>` and then `Finish >>` - you should see a message `View my_xss_view saved` 3. edit the site structure to add the View just created so that `staff` users can access it - visit `http://localhost:3000/menu` - set the following values: - `Type`: `View` - `View`: `my_xss_view [Edit]` - `Text label`: `view` - `Minimum role`: `staff` - click `Add` 4. create an event that will log when data is inserted in the `my_table_xss` table create at step 1 - visit `http://localhost:3000/eventlog/settings` - under `Which events should be logged?` select: - `[X] Insert` - `[X] Insert my_table_xss` Login with a user with staff role (you can do the same steps also with an admin user) - visit `http://localhost:3000/view/my_xss_view` - in the `payload` field insert ``"<svg/onload=alert(`xss`)>`` and click `Save` With an admin user inspect the log entry generated by the above action: - visit `http://localhost:3000/eventlog` - click on the event log generated (`http://localhost:3000/eventlog/<event-number>`) - an alert will appear ### Impact Stored Cross-Site Scripting (XSS) ### Recommended Mitigation Sanitize the user input before building HTML elements

Metadata

Created: 2024-10-07T15:14:40Z
Modified: 2024-10-07T15:14:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pf56-h9qf-rxq4/GHSA-pf56-h9qf-rxq4.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1