############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Canopy [1] # Vendor: CheckSec # CSNC ID: CSNC-2022-003 # Subject: Cross-Site Scripting (XSS) # Risk: Medium # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 18.02.2022 # ############################################################# Introduction ------------ Canopy helps security and audit teams manage and deliver their security assessments faster and better. Teams can easily stay on top of their workflow, track projects from start to finish, and quickly go from raw results from tool data and manual findings to high quality reports. Canopy brings efficiencies to teams, and reduces costs for the business. The used version of TinyMCE allows injecting JavaScript code via the "code" element. Thanks to Michał Bentkowski (@SecurityMB) for his great research! Affected -------- Vulnerable: * CheckSec Canopy 3.6.2 Not vulnerable: * CheckSec Canopy 3.6.3 No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- Payloads, which will manipulate the parsing of TinyMCE of user input are not transformed correctly (not recognizing --!> as the end of a comment), leading to XSS. Steps to reproduce: 1. Insert a code element in an active TinyMCE editor 2. Insert a test payload: a -->b 3. Test payload is not transformed correctly, resulting the following HTML:

-->

Workaround / Fix ---------------- TinyMCE should be updated to version 5.2.2 or more recent. Timeline -------- 2022-02-18: Discovery by Stephan Sekula 2022-02-18: Initial vendor notification 2022-02-18: Initial vendor response 2022-02-23: Release of fixed Version 2022-02-23: Coordinated public disclosure date References ---------- [1] https://www.checksec.com/canopy.html