Bug 1178880 (CVE-2020-8031) - VUL-0: CVE-2020-8031: obs: Stored XSS
Summary: VUL-0: CVE-2020-8031: obs: Stored XSS
Status: RESOLVED FIXED
Alias: CVE-2020-8031
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/271831/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-17 10:46 UTC by Wolfgang Frisch
Modified: 2021-02-11 14:56 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-11-17 10:46:51 UTC
We received a direct report regarding a stored XSS vulnerability on the Open Build Service front-end:

Stored XSS

# Issue Description

User can add a malicious comment to every project in OBS system. The markdown parser used by OBS web server has а flaw which allows an attacker to inject arbitrary attributes into html <a> tag. An attacker can make XSS attack and insert style attribute to stretch out malicious tag to the full screen and insert onmouseover attribute to immediately execute JavaScript code. This will result in a situation, when an OBS user willing to check any project in OBS system will be immediately attacked by a malicious JavaScript in a comment.

# Expected Result

Perform HTML encode of the user supplied href value.

# How to Reproduce

1. Sign up into OBS
2. Open the desired project and add the malicious comment in markdown markup with payload e.g.

```
[-](' style="display: block; position: fixed; top: 0; left: 0; z-index: 99999; width: 9999px; height: 9999px; font-size: 1px;" onmouseover="console.log('Stored XSS.');var to_delete=document.getElementsByName('hidden_id');to_delete[0].removeAttribute('style');" name='hidden_id)
```

Photo 1

3. JavaScript will be executed for every project visitor almost immediately because the tag has been stretched to the full screen and users are moving their mouse almost all the time.
Comment 4 Wolfgang Frisch 2020-11-17 16:47:08 UTC
obs-server.changes:

- Update to version 2.10.4

Bugfixes
========
  Frontend
   * CVE-2020-8020: Possible stored XSS attack on comments markdown
Comment 8 Johannes Segitz 2020-11-27 14:49:28 UTC
Please use CVE-2020-8031 for tracking this
Comment 9 Saray Cabrera Padrón 2020-12-04 12:48:44 UTC
We have just published a new minor release of OBS, 2.10.8, where the issue mentioned in this ticket is fixed. CVE-2020-8031.
Comment 10 Marcus Meissner 2021-01-28 15:46:22 UTC
appliance released,
hosted service was already fixed earlier