Rollout::UI Cross site scripting exploit

2023-05-06 / 2023-05-07

Credit: Heiko Webers from bauland42

Risk: High

Local: No

Remote: Yes

CVE: CVE-2023-25309

CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Rollout::UI is a Minimalist UI for the rollout gem that you can just mount as a Rack app. There is a Cross-site scripting vulnerability in the gem in which the feature's name isn't escaped properly in the "Do you really want to delete" confirmation dialog. When the user clicks "Delete", the page will run the XSS from the feature name.
The following PoC triggers a JavaScript alert when clicking at the "Delete" button:
http://<host>/features/'+alert(document.cookie)+'

References:

https://github.com/fetlife/rollout-ui/pull/15

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Rollout::UI Cross site scripting exploit

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.