CVE-2021-40840 - Stored XSS

Created: 2021-12-07

Overview

During a security audit of a LiveConfig customer, Dr. Arne Kersting from mgm security partners GmbH discovered a Stored XSS in LiveConfig. Contact data containing malicious code was displayed in search results without proper escaping.

Cause

LiveConfig escapes all data depending on its output format. The search results are loaded in JSON format and displayed using JavaScript. In this case, the JSON payload was not transmitted separately, but embedded into the HTML page (to save one round-trip time). However, the payload was not additionally HTML/XML-encoded, so an XSS attack was possible.

Risk

It is only possible for the administrator or reseller to edit contact data of a customer. Also the search results (quick search) where only displayed without proper encoding to the administrator/reseller owning that contact.

We therefore estimate the impact of an XSS attack to be low, since it was not possible for end users to inject malicious code, and other levels than those of the direct object owner were also not affected.

Acknowledgements

We want to thank Dr. Arne Kersting (mgm security partners GmbH) for the responsible disclosure of the detected security issue and for the friendly and open communication.

• reported: 2021-09-09 18:09 GMT+2
• fixed: 2021-09-10 10:41 GMT+2 (commit 3ffe1352)
• affected versions: up to v2.12.2
• fixed in: v2.12.3 / v2.13.0