CVE-2023-38970: Badaso Cross-Site Scripting Vulnerability Allows Remote Code Execution in Versions ..1–2.9.7

A critical security vulnerability, labeled CVE-2023-38970, has been discovered in Badaso, a popular content management system (CMS) and API Laravel Framework. This vulnerability affects Badaso versions from ..1 through 2.9.7 and allows potential attackers to execute arbitrary code remotely through a crafted payload in the "Name of member" parameter in the "Add new member" function. The vulnerability is classified as cross-site scripting (XSS), as the attacker can inject malicious code that will be executed when users interact with the compromised web application.

Here is a code snippet illustrating the vulnerability

// BadasoController.php
public function addNewMember(Request $request)
{
  // ...
  $memberName = $request->input('member_name');
  $memberRole = $request->input('member_role');
  // ...

  $newMember = new Member([
    'name' => $memberName,
    'role' => $memberRole,
  ]);

  $newMember->save();

  // ...
}

In this code snippet, the member_name parameter is not sanitized before being saved to the database, making it possible for an attacker to inject malicious code.

To exploit this vulnerability, an attacker can use a crafted payload like the following

<img src=x onerror=alert('XSS') />

The attacker then injects this payload into the "Name of member" field when adding a new member to the application. When an administrator or any user visits the member's details page, the payload will execute, potentially compromising the system.

For more details on this vulnerability, please visit the following references

1. CVE-2023-38970 — Official CVE entry on MITRE.org
2. Badaso Repository — Official repository for Badaso on GitHub
3. Badaso Release Notes — Official release notes and changelog information
4. OWASP Cross-Site Scripting (XSS) — Information on XSS by OWASP

To protect your application against this vulnerability, there are two primary recommendations

1. Update Badaso to version 2.9.8 or later, as this version includes a patch that properly sanitizes the input from the "Name of member" field.

Conclusion

The discovery of CVE-2023-38970 underlines the importance of continuously monitoring and updating the software used in your applications. This particular XSS vulnerability in Badaso could potentially lead to severe consequences if not addressed promptly. By ensuring your software is up-to-date and implementing secure coding practices, you can greatly reduce the risks associated with such vulnerabilities.

Timeline

Published on: 08/30/2023 22:15:08 UTC
Last modified on: 09/01/2023 14:47:20 UTC