Summary
The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.
Details
The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.
PoC
POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E
Impact
Stored XSS:
Fix
- Added a Content Security Policy to all config pages on the web client, including the automation page
- Used DOM scripting to construct all components on the config pages, including the automation page
calligraf0 Reporter
Summary
The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.
Details
The
qparameter for the/api/automationendpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.PoC
Impact
Stored XSS:
Fix