############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Liima - Automation Middleware (AMW) # Vendor: Liima Open Source Project # CSNC ID: CSNC-2022-021 # CVE ID: CVE-2023-26094 # Subject: Stored Cross-Site Scripting (XSS) # Risk: High # Effect: Session take over # Author: Marc Tanner # Date: 2023-01-30 # ############################################################# Introduction ------------ Liima - Automated Middleware allows to manage the configurations of Java EE applications on an unlimited number of different environments with various versions, including the automated deployment of those apps[1,2]. Liima v1.17.27 (and possibly earlier versions) allow injection of JavaScript code through the used tooltip and notification functionality. Technical Description --------------------- Liima uses a vulnerable version of the jQuery Tools library[3,4], which does not properly encode data incorporated into the HTML title attribute. By storing a sufficiently long value, to force the automatic creation of a tooltip, it is possible to execute arbitrary JavaScript code within the visiting user's session. The issue was demonstrated on the template name property of a Liima application definition, but all instances where user-controlled input is incorporated into a tooltip are affected. Workaround / Fix ---------------- Upgrade to Liima v1.17.28 or later containing the fix[5]. Timeline -------- 2022-10-07: Discovery by Marc Tanner 2022-10-19: Initial vendor notification 2022-10-27: Initial vendor response 2023-01-03: Release of fixed Version 2023-01-31: Coordinated public disclosure date References ---------- [1] https://www.liima.org/ [2] https://github.com/liimaorg/liima#liima [3] https://jquerytools.org/ [4] https://github.com/jquerytools/jquerytools/pull/853 [5] https://github.com/liimaorg/liima/pull/680