CVE-2023-26447 - "Upsell" Widget Vulnerability in Portal: A Deep Dive into an Unsanitized Jslob Exploit

The CVE-2023-26447 vulnerability has been recently discovered in the "upsell" widget of a certain portal. This vulnerability allows an attacker to inject malicious code into legitimate JavaScript Object Literals (jslobs), which can then be executed within the victim's context. The consequences of this exploit range from session hijacking to triggering unwanted actions via the web interface and API. This blog post will provide an in-depth look at this vulnerability, its exploit details, associated risks, and solutions to mitigate these risks. Keep in mind that, as of now, no publicly available exploits for this vulnerability are known. We will also link to the original references for further reading.

The Vulnerability

The "upsell" widget in the portal allows users to specify a product description. The issue arises from the fact that the product description is taken from a user-controllable jslob, which is not properly sanitized or escaped before being added to the Document Object Model (DOM). This oversight opens up an opportunity for an attacker to inject malicious script code into the product description.

Here's a code snippet demonstrating the vulnerability

const productDescription = userJslob.productDescription; // User-controlled jslob
const upsellWidget = document.createElement("div");
upsellWidget.innerHTML = productDescription; // No sanitization or escaping

Exploit Details

To exploit this vulnerability, an attacker needs temporary access to a user's account, or lure a user to access a compromised account. With access to the user account, the attacker can then inject malicious script code into the product description. This code will be executed within the victim's context, potentially leading to session hijacking, unauthorized access to sensitive information, or triggering unwanted actions via web interface and API.

Here's an example of an attacker injecting a malicious script as a product description

// Malicious user-controlled jslob
const maliciousJslob = {
  productDescription: '<script>alert("Your session has been hijacked!");</script>',
};

The fix has been introduced recently by the developers. It involves properly sanitizing the jslob content before adding it to the DOM:

const productDescription = userJslob.productDescription;
const sanitizedProductDescription = sanitize(productDescription); // New sanitization
const upsellWidget = document.createElement("div");
upsellWidget.innerHTML = sanitizedProductDescription;

Mitigation Measures

The primary mitigation measure is to sanitize all user-controlled jslob content before adding it to the DOM. This means properly escaping and filtering out any potentially hazardous characters or strings (e.g.,