Bugzilla – Bug 1178880
VUL-0: CVE-2020-8031: obs: Stored XSS
Last modified: 2021-02-11 14:56:16 UTC
We received a direct report regarding a stored XSS vulnerability on the Open Build Service front-end: Stored XSS # Issue Description User can add a malicious comment to every project in OBS system. The markdown parser used by OBS web server has а flaw which allows an attacker to inject arbitrary attributes into html <a> tag. An attacker can make XSS attack and insert style attribute to stretch out malicious tag to the full screen and insert onmouseover attribute to immediately execute JavaScript code. This will result in a situation, when an OBS user willing to check any project in OBS system will be immediately attacked by a malicious JavaScript in a comment. # Expected Result Perform HTML encode of the user supplied href value. # How to Reproduce 1. Sign up into OBS 2. Open the desired project and add the malicious comment in markdown markup with payload e.g. ``` [-](' style="display: block; position: fixed; top: 0; left: 0; z-index: 99999; width: 9999px; height: 9999px; font-size: 1px;" onmouseover="console.log('Stored XSS.');var to_delete=document.getElementsByName('hidden_id');to_delete[0].removeAttribute('style');" name='hidden_id) ``` Photo 1 3. JavaScript will be executed for every project visitor almost immediately because the tag has been stretched to the full screen and users are moving their mouse almost all the time.
obs-server.changes: - Update to version 2.10.4 Bugfixes ======== Frontend * CVE-2020-8020: Possible stored XSS attack on comments markdown
Please use CVE-2020-8031 for tracking this
We have just published a new minor release of OBS, 2.10.8, where the issue mentioned in this ticket is fixed. CVE-2020-8031.
appliance released, hosted service was already fixed earlier