EIQ-2023-0001#

ID

EIQ-2023-0001

CVE

N/A

Description

HTML injection through title field of report entity when exporting to PDF

Date

19 January 2023

Severity

2 - MEDIUM

CVSSv3 score

4.6

Status

✅ 3.0.0

Assessment

Attackers can enter <img> or <embed> tags into the title field of a report entity that reference an image that is hosted on a remote server or resides on the local filesystem.

When the entity is exported as a PDF, the referenced image is loaded and displayed (if readable by the application process) in the resulting PDF.

This allows the attackers to:

  • perform a limited SSRF (Server-Side Request Forgery) that loads and displays images hosted by the application and on the filesystem that are otherwise unavailable.

  • fingerprint the IC server by loading a resource from a server they control.

  • cause a denial of service by referencing a large arbitrary file that the PDF engine attempts to load into memory when a PDF export is triggered. If the file is large enough, it can cause other services to be killed, and consequently make the application and its related service unavailable.

Code execution is prevented by safety mechanisms in the UI and weasyprint.

Mitigation

-

Affected versions

2.14.0 and earlier.

Notes

N/A