GoSecure Titan Labs discovered a stored cross-site scripting (XSS) vulnerability in IBM Content Navigator. Users are strongly advised to upgrade to version 3.0.9 or above. This blog post details the vulnerability, its impact and provides a proof of concept for exploitation.
IBM rated this vulnerability with a CVSS 3.0 rating of 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) which results in a medium severity vulnerability.
Exploitation of this issue could allow attackers to execute code in the victim’s browser that could lead to accessing certain types of data such as cookies or credentials within a trusted session.
In the IBM Content Navigator platform, users can upload files that will then be served by the platform. To exploit the vulnerability associated with this feature, an attacker needs to upload a malicious file containing HTML content via the file upload functionality. Successful exploitation could allow the attacker to obtain the victim’s session cookie or conduct social engineering attacks.
For instance, a valid attack scenario would be to clone the application’s login page within the malicious HTML file. Once opened it would alert the end-user that their session has expired prompting them to enter their credentials and therefore potentially lead to account takeover.
Exploitation of this vulnerability can be achieved using the following steps:
1st Step: Create the HTML file containing the malicious payload. For this demonstration, the following payload was used:
2nd Step: Click on the drop-down icon to select the upload file option.
3rd Step: Upload the file
Search for the file via the AppID assigned in step 2 and then select the result for the search AppID and either “Preview” or “Open in a new tab”.
This will display the XSS and user’s cookie.
To ensure adequate protection against this vulnerability, update IBM Content Navigator to version 3.0.9 and above.
If this is not currently possible, as mentioned by IBM, the IBM Content Navigator viewer map can be configured to prevent users from opening or previewing certain types of documents as described in this article: https://www-03preprod.ibm.com/support/knowledgecenter/SSEUEX_3.0.8/com.ibm.installingeuc.doc/eucco011.htm
Vulnerabilities like Cross-Site Scripting, caused by a lack of user-input filtering, are well known but are still very prevalent. By using well-known security solutions, following secure development practices, and ensuring that commercial applications are always up to date, you can avoid vulnerabilities like these and keep your application secure.
This vulnerability was assigned CVE-2020-4757 and has been disclosed to the vendor following our responsible disclosure process. The IBM Security Bulletin is available here.
Vulnerability identified and documented by Olivier Laflamme and blog post by Louis-Philippe Frenette Blais.