CVE-2022-21186 The package @acrontum/filesystem-template before 0.0.2 is vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.
It is possible to inject a command from a remote site by setting the src field of the href attribute to a malicious URL.
Now let’s see how to exploit this vulnerability in the following code.
!DOCTYPE HTML> html> head> title>Vulnerability Test/title> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax
Steps to reproduce:
1. Open any webpage
2. Observe that the stylesheet URL is vulnerable to remote injection
3. Save the webpage with an attacker's style sheet URL as src (e.g. https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css)
4. Refresh the page and observe that the attacker's style sheet is applied
5. Click on "Show more" next to a text box and observe that the text can be overwritten
6. Repeat steps 3-5 using different URLs
7, Click on "Save" next to a text box and observe that it also can be overwritten
Timeline
Published on: 08/05/2022 05:15:00 UTC
Last modified on: 08/11/2022 18:23:00 UTC