Cross-Site Scripting (XSS) in the Reports module
The INCIBE, (Spanish National Cybersecurity Institute), has coordinated the publication of a vulnerability in WOCU-Monitoring.
The vulnerability is a Cross-Site Scripting (XSS) persistent in its reports.
This vulnerability has been assigned the code CVE -2021-4035.
A Stored Cross Site Scripting (Stored XSS), also known as persistent, is a vulnerability that allows an attacker to inject browser-executable code into the display of a web site.
Vulnerability Description
TinyMCE, the text editor used by WOCU-Monitoring in its TinyMCE module.
Reports, Allows you to edit and format text from a web browser, saving by default your result in an HTML format. The use of the .setContent method of the editor to stored data, did not properly validate the saved content, and code .setContent could be executed Javascript code if it was injected in some attributes.
The lack of proper data validation, together with the use of a permissive policy in the use of rich text from our backend, has allowed in versions below the 48.2 and higher than 0.27, the possibility to execute Javascript code in the display of comments Reports.
The reported vulnerability was exploitable only by users of the WOCU-Monitoring application, with access to write comments in that module of
Reports.
Impact
An attacker with a user with access to the Reporting module, plus comment-writing capabilities, could save a comment including Javascript code. This code could be executed in the browser of another user with the same access, when viewing the comments saved in the report.
Affected versions
Versions of WOCU-Monitoring lower than 48.2 and higher than 0.27 were vulnerable.
Vulnerability fix
The vulnerability reported by INCIBE, was due to incorrect sanitization of elements by the TinyMCE text editor. All the data that made use of rich text by means of white lists of allowed tags and attributes. The XSS found allowed that in the event that TinyMCE code had been injected, the injected Javascript code in the data storage, it would be executed when the data was loaded.
The WOCU-Monitoring team checked and confirmed the Javascript vulnerability, within hours of receiving the notification, and patched the first customers of the solution within 24 hours of the notification.
How does it affect my company?
The reported vulnerability was patched on all WOCU-Monitoring customers in the above date range previously mentioned.
No further action is required, as the vulnerability began to started to be fixed 24 hours after being reported and as of 05/12/2021 all installations are upgraded or properly patched.
From the team of WOCU-Monitoring we are grateful to INCIBE
for the quick coordination during the whole process, as well as to the auditor in charge of reporting it.
From the team of WOCU-Monitoring we are grateful to INCIBE
for the quick coordination during the whole process, as well as to the auditor in charge of reporting it.
All software has vulnerabilities and it is the ability of a company to verify, address and mitigate in a short time,
that must be assessed in these cases. We urge other auditors to contact, without any fear, if they manage to find any flaws in our solution, just as we do , just as we invite other companies to fix vulnerabilities with the same level of transparency.
References
https://owasp.org/www-community/attacks/xss/
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/wocu-monitoring-vulnerable-cross-site-scripting-xss-persistente
