RXSS in onpremises version of structurizr in structurizr/onpremises

Valid

Reported on

Oct 3rd 2023


Description

During investigation it was found that onpremises api endpoint GET parameter version is vulnerable to XSS injection: /workspace/[workspaceid]?version=1;

Proof of Concept

1. Visit the link provided: http://<your-host>/workspace/1/?version=1%22);alert(1);
2. XSS injected

Impact

Javascript code execution in the context of user web browser.

Occurrences

As I understand the logic of app - ${workspace.internalVersion} should have only integer values:

We are processing your report and will contact the structurizr/onpremises team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have opened a pull request with a SECURITY.md for structurizr/onpremises to merge. 4 months ago
We have contacted a member of the structurizr/onpremises team and are waiting to hear back 4 months ago
structurizr/onpremises maintainer
4 months ago

Maintainer


Thanks - that's fixed in build 3194.

structurizr/onpremises maintainer validated this vulnerability 4 months ago
alexeymyasnikov has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
structurizr/onpremises maintainer marked this as fixed in 3194 with commit 6cff4f 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
workspace-summary.jsp#L239 has been validated
alexeymyasnikov
4 months ago

Researcher


Hello, dear structurizr team. Could I request CVE assigning for the related vuln?

structurizr/onpremises maintainer
4 months ago

Maintainer


If you're referring to the graph.jsp vulnerability in the UI repo and you're going to credit the discovery and fix to us, sure, feel free to raise a new CVE. The fix commit is https://github.com/structurizr/ui/commit/8a0cf9564de6a4889c665998407c7de50046bdc8#diff-a981ee479c8ac3427947512bef5bbd17bc0132749b9ea15ed85bfed2958fc923 and the fixed build number is 3157.

alexeymyasnikov
4 months ago

Researcher


No, I`m talking about workspace-summary.jsp and fix https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18

structurizr/onpremises maintainer
4 months ago

Maintainer


Could I request CVE assigning for the related vuln?

I'm not sure what you're asking. What does "CVE assigning" mean?

alexeymyasnikov
4 months ago

Researcher


If I get it right this platform can be used to help in the process of CVE assigning. If the vulnerability provided by researcher is correct, you validated and fixed it - then it can be added to vulnerability database (https://cve.mitre.org/) and assigned with CVE-number by the host of this website. When you closed my report you decided to not assign CVE This vulnerability will not receive a CVE, 6 day ago. I am just asking to reconsider your decision and assign CVE to this vulnerability.

This is what the site host replied to me: "You can request from the maintainer in the comments section to assign a CVE and if they decide to, I can manually assign one on your behalf."

As I understand - this can be done somewhere from the website interface

structurizr/onpremises maintainer
4 months ago

Maintainer


Apologies, I've never used this platform before. I don't see any actions related to CVEs on the website interface ... just "Thank/Ban researcher" . I don't remember seeing anything when I added the fix build number/commit hash either. You're welcome to assign a CVE, but I have no idea how to do it I'm afraid.

alexeymyasnikov
4 months ago

Researcher


Ok, no problems! For me this is also the first time of use. I think we can ask @admin for help.

Ben Harvie
4 months ago

Admin


CVE assigned as requested:)

to join this conversation