Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32913

2024 Pentest findings for LTS 2021 version

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security

      Description

      Tested URL : https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/automation/Collection.Suggestion

      Severity : low

      Criticality Justification
      The impact of self-XSS can range from personal data theft and account compromise to session hijacking and malware injection. It can lead to financial loss, identity theft, and reputational damage for the victim.
      Although low impact in this case, the code might be exploitable in a different part of the app for another user

      Steps To Reproduce
      Step 1: Login with a regular user to the Nuxeo platform Select an existent file and click on the \"Add to Collection\" button in the top right of the page (https://api.us.cobalt.io/v1/attachments/att_bKyJrht/preview)
      Step 3: When selecting a Collection, place the following payload:
      \\\\\\"><img scr=x onerror=alert(document.cookie)>
      Step 4: The application will try to preview the collection name for creation and this will trigger the XSS

      Suggested Fix

      • Always treat all user input as untrusted data.
      • Never insert untrusted data except in allowed locations.
      • Always input or output-encode all data coming into or out of the application.
      • Always whitelist allowed characters and seldom use blacklisting of characters except in certain use cases.
      • Always use a well-known and security encoding API for input and output encoding such as the OWASP ESAPI.
      • Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one.
      • Never use the DOM function innerHtml and instead use the functions innerText and textContent to prevent against DOM-based XSS.
      • As a best practice, consider using the HTTPOnly flag on cookies that are session tokens or sensitive tokens.
      • As a best practice, consider implementing Content Security Policy to protect against XSS and other injection type attacks.
      • As a best practice, consider using an auto-escaping templating system. 11. As a best practice, consider using the X-XSS-Protection response header

      Prerequisites
      Authenticated user required

        Attachments

          Issue Links

          clones

          Bug - A problem which impairs or prevents the functions of the product. NXP-32592 #PT22227_7 Cross Site Scripting (Self) in Collection Name Preview

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                santony Sooraj Antony
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: