EIQ-2022-0003#

ID

EIQ-2022-0003

CVE

N/A

Description

Drop-down menus that render user-defined item names are vulnerable to stored XSS attacks

Date

9 May 2022

Severity

3 - HIGH

CVSSv3 score

N/A

Status

✅ 2.12.0, 2.11.3, 2.10.5

Assessment

Overview

Drop-down menus in the Intelligence Center (IC) that render user-defined item names are vulnerable to stored XSS (cross-site scripting) attacks An attacker can create an object on the IC and have the object’s name/title contain a malicious payload. When any user on the IC opens a drop-down menu that attempts to display the malicious object’s name/title, the payload is triggered.

Requirements

An attacker needs at least modify permissions for any object type that gets displayed in a drop-down menu in the IC UI. Known affected object types (not exhaustive):

  • Entities

  • Groups

  • Taxonomies

  • Incoming feeds

  • Outgoing feeds

  • Workspaces

  • Datasets

  • Policies

To replicate:

  1. Create a user (user1) with at least modify taxonomies permissions.

  2. Sign in as the user (user1).

  3. Go to Data configuration Data configuration > Taxonomies.

  4. Select Create taxonomy (+) to create a new taxonomy, and name it "><img src=x onerror="alert(1)">.

To trigger:

  1. Sign in as any user.

  2. Go to Data configuration Data configuration > Taxonomies

  3. Select Create taxonomy (+).

  4. In the Create taxnomy panel that opens, select the Parent drop-down menu to load a list of taxonomies, including the malicious taxonomy.

Mitigation

Drop-down menus in the IC UI now sanitize item names before displaying them.

Affected versions

2.11.2 and earlier.

Notes

N/A