security: XSS vulnerability (CVE-2023-23277) #57
Description
XSS/Cross Site Scripting Vulnerability
Vulnerability: XSS
Severity: VERY HIGH
Image: pawelmalak/snippet-box:arm
Digest: sha256:ba9245cc339d159588c76b33f0ae708f5c1af68a27f876561b8b84ed5b8ee288
Why this is a problem: Snippet-box doesn't have authentication, allowing anyone to perform this attack. Furthermore, if Snippet-box is running on a domain which is used by other services, e.g. Nextcloud, then an attacker could potentially be able to perform a lateral move via extracting local storage; obtaining authentication tokens. Alternatively, one could perform CSRF, even if "same site cookies" are enabled, depending on the service, account take over may be possible due to XSS on the same domain.
Proof of Concept
- Create new snippet.
- Set the snippet content to:
<h1>HTML is being rendered</h1>
<p style="color: red">WARNING XSS</p>
<script>alert("XSS")</script>- Copy "raw url"
- Navigate within a browser
Result
Cause
The cause to this vulnerability due to the raw snippet route setting content-type to text/html.
Resolution
Follow both steps.
- Set
content-typetotext/plain. - Set header
X-Content-Type-Options: nosniff.
Responsible disclosure statement: I was unable to find emergency contact information for reporting security concerns in private, as a result this issue has been created.