{"id":17518,"date":"2021-11-30T13:10:02","date_gmt":"2021-11-30T12:10:02","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17518"},"modified":"2021-12-01T08:54:54","modified_gmt":"2021-12-01T07:54:54","slug":"usd-2021-0032","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0032\/","title":{"rendered":"usd-2021-0032"},"content":{"rendered":"\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0032 |\u00a0SUSE CVE Database (suse.com)<\/h1>\n

Advisory ID<\/strong>: usd-2021-0032
Affected Product<\/strong>: SUSE CVE database\u00a0
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<\/span>
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/www.suse.com\/security\/cve\/<\/a> \u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

Suse's CVE database embedded<\/span> third-party contents without sufficient filtering and\/or encoding. Multiple incidents have been identified where Suse embedded untrusted <script><\/strong>\u00a0tags, resulting in stored Cross-Site-Scripting (XSS).<\/p>\n

SUSE's CVE database is a website which displays information on public CVEs. The description part of CVE records is included into the website without filtering or escaping of the respective content. A malicious actor could have\u00a0 included JavaScript code in the description text of a CVE. This code would then have been included within a page of the SUSE CVE database and could have been be misused for a stored cross-site scripting attack.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

In order to exploit the vulnerability, a new CVE record must be published officially. This CVE record can contain arbitrary text as a \"description\". Here, JavaScript code can injected. The SUSE CVE database imports this data automatically and displays the information on a website. The injected code will be executed automatically.<\/p>\n

An example CVE containing an HTML <script><\/strong>\u00a0tag is CVE-2021-32718<\/em> (https:\/\/www.suse.com\/security\/cve\/CVE-2021-32718.html<\/a>). Here, the HTML tag was interpreted and potentially malicious JavaScript code which could follow here would have been executed.\u00a0<\/p>\n

The following screenshots illustrate that the <script> <\/strong>tag is embedded without any encoding or filtering and interpreted as markup by the browser accordingly:\u00a0<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/suse_xss1.png\" title_text=\"suse_xss1\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/11\/suse_xss4.png\" title_text=\"suse_xss4\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages supports standard procedures for encoding meta characters.<\/p>\n

<\/h3>\n

References<\/h3>\n