Stored XSS Vulnerability in Dynamic Dashboard Paragraph Widget

Author
Updated: December 2nd, 2024
1 min read
Stored XSS vulnerability in Dynamic Dashboard Widget

Product Name: Dynamic Dashboard
Vulnerability: Stored XSS
Vulnerable Version: >= 3.0.0, < 3.0.1
CVE: CVE-2024-47817

On October 5, 2024, the security researchers from Astra discovered a severe Stored Cross-Site Scripting vulnerability in Dynamic Dashboard’s paragraph widget. The widget, used for text and markdown, has inadequate input sanitization allowing attackers to inject malicious code. This injected code can be executed within the any user’s or admin’ browser compromising overall user security.

How Does a Stored XSS Vulnerability Occur?

Phase 1: Injection

The attack starts with the attacker injecting malicious JavaScript code into the application through various payloads and embedding it via the Markdown links in the widget.

Phase 2: Storage

The code injected through the paragraph widget is then stored into the application database and is reflected on a certain section of the application waiting for any user or admin to interact with it.

Phase 3: Execution

Every time any user or an admin visits the affected page with the paragraph widget, the malicious code is triggered in their browser sessions. This can be used for various types of exploits like data theft, account takeover or distribution of malware.

Impact of Stored XSS Vulnerability

Session Hijacking

Attackers can use this vulnerability to hijack sessions by stealing other users’ cookies or session tokens, leading to unauthorized data access and complete account takeover.

Malware Distribution

Stored XSS is a persistent vulnerability, allowing attackers to spread malware through the injected pages as XSS is triggered for every user that interacts with the infected page.

Website Defacement

Malicious scripts used for XSS can also alter webpage content , inject ads or deface the website disrupting the user experience directly affecting the trust of the users on the website.

Current Status and Mitigation

Following the discovery of the vulnerability, the Dynamic Dashboard development team was promptly notified. The team acknowledged the vulnerability affected versions >3.0.0. The team quickly applied fixes like input sanitization and output encoding in their v3.0.2 release to ensure that the user input code was not executed within the application.

What Can You Do?

Update the affected version to the latest version released by the Dynamic Dashboard team.