Stored XSS & Insecure File Upload In Cervantes Alpha 0.5

Updated: August 28th, 2024
4 mins read
stores xss insecure file upload vulnerability

Two vulnerabilities—stored XSS (CVE-2024-42054) and insecure file upload (CVE-2024-42055)—have been detected in the Alpha 0.5 version of CervantesSec. This article will outline what CervantesSec does, the vulnerabilities found, and its current status. 

What is CervantesSec?

Cervantes is an open-source collaborative platform that enables cybersecurity teams and security experts to manage projects, reports, clients, and vulnerabilities in a single platform. This platform saves pentesters’ and red teams’ time with features like AI integration, team collaboration across platforms, and security roles.

Astra detected two vulnerabilities in their Alpha 0.5 version, released on April 3rd, 2023. The two vulnerabilities are stored XSS and insecure file uploads.

What is Stored XSS?

Stored cross-site scripting (XSS), or persistent XSS, occurs when an attacker uses a web application’s vulnerability to insert malicious code into a component that accepts user input, such as a forum post or comment section. The program then stores this injection and valid user input in a file system or database.

The web application retrieves the stored data, including the attacker’s malicious code, when a different user accesses the same page. The victim’s browser then unintentionally runs this malware, jeopardizing their security. This vulnerability can be prevented by sanitizing the input through output encoding and validation.

Impact of Stored XSS

1. Redirections to Malicious Sites

Attackers can create scripts that direct a user’s browser to a phishing website instead of the real one, where they can steal passwords or infect the user’s device with malware.

2. Altered Website Content

Malicious scripts can change a website’s look while introducing propaganda or misleading content. This could damage user confidence and harm the website’s reputation.

3. Disabling Website Functions

Attackers sometimes try to interfere with a website’s essential features so users cannot carry out their intended activity. This can be especially harmful for online services or e-commerce websites.

What is Insecure File Upload?

A web application that permits users to upload files without appropriate validation and constraints creates an insecure file upload vulnerability. This occurs when an application doesn’t have the tools necessary to verify the origin, content, or nature of uploaded files. 

When an attacker uploads a file that contains malicious code under the disguise of a harmless file type (such as an image or document), the application processes the file and unintentionally runs the harmful code that the attacker has concealed. 

Such a code can have several negative consequences, like allowing hackers to enter the system without authorization, steal confidential information, or even take over the server entirely. In Cervantes’s case, this vulnerability led to an HTML Injection. 

Impact of Insecure File Upload

1. HTML Injection

Attackers can insert HTML code into files that appear safe using insecure file upload. When this code is run by the user’s browser, it can modify website content, reroute users to phishing websites, or steal data.

2. Privilege Escalation

An attacker may use vulnerabilities in uploaded files to increase their privileges within the system, even if they cannot take complete control at first. As a result, they may be able to access more private information or resources.

3. Web Shell Upload

An attacker can upload a web shell script to gain a permanent backdoor into the system. Thanks to this, they may now remotely access the system, gradually steal data, and launch further assaults.

What is the Current Status?

Once Astra discovered these two vulnerabilities in the Alpha 0.5 version of Cervantes, our team flagged them along with fixes to the Cervantes team and recommended that they incorporate them as soon as possible to prevent data exploitation.

Following our alert, the application developer issued the fix for the XSS issues in the code but has not yet released it.

What Can You Do?

  1. While an official patch is not yet available, we found that XSS-related fixes were added to the application’s main branch of the GitHub repository. As such, users can build the image from the latest changes in the repository and use it in docker-compose. 

Please note that this should be used in a test environment first to ensure everything works as required.

  1. Avoid using the app in environments where sensitive data is handled.
  2. Be cautious when interacting with content that could be provided by untrusted sources.
  3. If possible, avoid uploading files that could be exploited, such as HTML, JavaScript, or other executable content.
  4. If file uploads are necessary, ensure the content is trusted and originates from reliable sources.
  5. Consider using browser extensions that enhance security, such as Content Security Policy (CSP) enforcers or script blockers, to help mitigate the impact of potential XSS attacks while using the app.
  6. Keep an eye on updates from the app’s developers regarding any patches or security updates.
  7. Subscribe to official communication channels so the app receives timely notifications about security issues and updates.