Rundeck Community Edition Cross Site Scripting

2019.01.29
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Rundeck Community Edition before 3.0.13 Multiple Stored XSS # Vendor Homepage: https://www.rundeck.com/open-source # Software Link: https://docs.rundeck.com/downloads.html # Exploit Author: Ishaq Mohammed # Contact: https://twitter.com/security_prince # Website: https://about.me/security-prince # Category: webapps # Platform: Java # CVE: CVE-2019-6804 1. Description: Cross-Site Scripting issues affecting multiple fields in the workflow module under job edit form by injecting javascript code in the Arguments, Invocation String, and File Extension field, the input from these fields are rendered in the Execution Preview which is the sink of this vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6804 2. Proof of Concept: Vulnerable Endpoints / Systems http://{Rundeck_hostname}/project/{Jobname}/job/edit/{Job_ID} Steps to Reproduce: Login to Rundeck Server with valid credentials. 1. Navigate to any project in the instance. 2. Navigate to the jobs module 3. Select a job 4. From the right hand side drop down menu, select edit this job 5. Navigate to Workflow module 6. Scroll down to arguments field 7. Enter the following payload: <img/src="x"onerror=alert(19) 8. The same payload can be entered in the Advanced mode in the same module in two other fields "Invokation String" and "File Extension" 9. Observe the payload getting executed in the "Execution Preview" 3. Solution: The issue is now patched by the vendor in version 3.0.13 https://docs.rundeck.com/docs/history/version-3.0.13.html https://github.com/rundeck/rundeck/issues/4406 -- Best Regards, Ishaq Mohammed https://about.me/security-prince


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top