usd-2021-0032 | SUSE CVE Database (suse.com)

Advisory ID: usd-2021-0032
Affected Product: SUSE CVE database 
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: High
Vendor URL: https://www.suse.com/security/cve/  
Vendor Status: Fixed

Description

Suse's CVE database embedded third-party contents without sufficient filtering and/or encoding. Multiple incidents have been identified where Suse embedded untrusted <script> tags, resulting in stored Cross-Site-Scripting (XSS).

SUSE's CVE database is a website which displays information on public CVEs. The description part of CVE records is included into the website without filtering or escaping of the respective content. A malicious actor could have  included JavaScript code in the description text of a CVE. This code would then have been included within a page of the SUSE CVE database and could have been be misused for a stored cross-site scripting attack.

Proof of Concept (PoC)

In order to exploit the vulnerability, a new CVE record must be published officially. This CVE record can contain arbitrary text as a "description". Here, JavaScript code can injected. The SUSE CVE database imports this data automatically and displays the information on a website. The injected code will be executed automatically.

An example CVE containing an HTML <script> tag is CVE-2021-32718 (https://www.suse.com/security/cve/CVE-2021-32718.html). Here, the HTML tag was interpreted and potentially malicious JavaScript code which could follow here would have been executed. 

The following screenshots illustrate that the <script> tag is embedded without any encoding or filtering and interpreted as markup by the browser accordingly: