Summary

Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.

Details

A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key Name (confKey) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser.

PoC

1. Authorize as a user with rights to modificate the service (e.g. kuiperUser role).
2. Create a service or go to the existing one and access the Configuration > Connection page:

3. Open any existing Connection and press on Add configuration key:

4. Set any name and Address, then intercept the request and add the following payload to the confKey parameter: 123%3Cimg%20src=1%20onerror%3dalert%281%29%3E:

5. A new configuration key then will be set:

6. (Optional) You can authorize another user with access to this service. For nexe steps I will use admin user
7. After we push on delete button (trash icon) opposite the created connection, the payload will work:

Impact

Stored Cross-site Scripting (XSS) vulnerability

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone