############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Canopy [1] # Vendor: CheckSec # CSNC ID: CSNC-2021-015 # CVE ID: CVE-2021-34815 # Subject: Cross-Site Scripting (XSS) # Risk: Medium # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 17.06.2021 # ############################################################# Introduction ------------ Canopy helps security and audit teams manage and deliver their security assessments faster and better. Teams can easily stay on top of their workflow, track projects from start to finish, and quickly go from raw results from tool data and manual findings to high quality reports. Canopy brings efficiencies to teams, and reduces costs for the business. The LOGIN_PAGE_DISCLAIMER parameter does not employ output encoding. It is possible for an administrator user to inject HTML elements, which could be abused in Phishing attacks. Affected -------- Vulnerable: * CheckSec Canopy 3.5.1 Not vulnerable: * CheckSec Canopy 3.5.2 No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- A payload, such as can be injected into the LOGIN_PAGE_DISCLAIMER parameter by administrative users. This code will then be embedded into the login page, allowing the attacker to conduct Phishing attacks and gain access to user credentials. Workaround / Fix ---------------- Output should be encoded according to its context into which it is being inserted. Timeline -------- 2021-06-02: Discovery by Stephan Sekula 2021-06-02: Initial vendor notification 2021-06-02: Initial vendor response 2021-06-17: Assigned CVE-2021-34815 2021-06-17: Release of fixed Version 2021-06-17: Coordinated public disclosure date References ---------- [1] https://www.checksec.com/canopy.html