############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Web Application Frontend # Vendor: Storyblok # CSNC ID: CSNC-2022-001 # Subject: Cross-Site Scripting # Severity: High # Effect: Cross-Site Scripting # Author: Stephan Sekula # Date: 2022-01-10 # ############################################################# Introduction ------------ The world's first headless CMS that works for both developers & business users. Storyblok offers a unique combination of visual editing tools and highly customizable content blocks for marketers on top of a modern headless architecture that gives developers the flexibility to build fast and reliable digital platforms. [1] During a customer project, we could manipulate the current user's name. Due to the fact that no output encoding is implemented, this leads to Cross-Site Scripting. Technical Description --------------------- An attacker can manipulate their user's name to a payload such as test'"> Once another user hovers with their mouse over the malicious user's profile picture, the injected JavaScript is executed. This could be abused, to, e.g., steal another user's session. Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [2]: - CVSS Base Score: 8.4 (High) - CVSS Vector: AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Workaround / Fix ---------------- Wait for Storyblok to output encode the user's name fields. Timeline -------- 2021-01-10: Vulnerability discovered 2021-01-10: Informed developer about the vulnerability 2021-01-10: Developer fixed the vulnerability 2022-01-11: Coordinated public disclosure References ---------- [1] https://www.storyblok.com/ [2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H&version=3.1