PeTeReport 0.5 - Stored XSS (Attack Tree)

Summary

NamePeTeReport 0.5 - Stored XSS (Attack Tree)
Code nameBrown
ProductPeTeReport
Affected versionsVersion 0.5
Fixed versionsVersion 0.7
StatePublic
Release date2022-02-23

Vulnerability

KindStored cross-site scripting (XSS)
Rule010. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score4.8
Exploit availableNo
CVE ID(s)CVE-2022-23051

Description

PeteReport Version 0.5 allows an authenticated admin user to inject persistent javascript code while adding an 'Attack Tree' by modifying the svg_file parameter.

Proof of Concept

Steps to reproduce

  1. Create a new Report.

  2. Create a new Finding for the Report.

  3. Go to 'Reports' > 'All Reports'.

  4. Click on 'View' in the last created record.

  5. Go to 'Attack Trees'.

  6. Click on 'Add Attack Tree'.

  7. Select your Finding and click on 'Save and Finish'.

  8. Intercept the request and insert javascript code inside the svg_file parameter.

       <script type="text/javascript">
         alert("XSS");
       </script>
    
  9. If a user visits the attack tree the javascript code will be rendered.

System Information

  • Version: PeteReport Version 0.5.
  • Operating System: Docker.
  • Web Server: nginx.

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of PeteReport is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/1modm/petereport

Issue https://github.com/1modm/petereport/issues/36

Timeline

Time-lapse-logo

2022-02-08

Vulnerability discovered.

Time-lapse-logo

2022-02-08

Vendor contacted.

Time-lapse-logo

2022-02-09

Vendor replied acknowledging the report.

Time-lapse-logo

2022-02-09

Vulnerability patched.

Time-lapse-logo

2022-02-23

Public Disclosure.