Reflective HTML Injection vulnerability

Introduction

A vulnerability identified by security researcher Ruben Meeuwissen allows an attacker to deface the error page using custom URL parameters.

• CVSS Score: 4.0 (Medium)
• CVE: CVE-2024-33670
• Vulnerability Type: HTML Injection
• Product affected: Passbolt API
• Versions affected: Passbolt API <= v4.6.1
• Version fixed: Passbolt API v4.6.2
• Affected component: Error pages

Vulnerability details

The vulnerability allows for HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, as defined in the default configuration, it may still impact the appearance and user interaction of the page.

Impact analysis

Impact on the integrity of the content is limited to the error pages. The confidentiality or availability of the information is not impacted.

Root cause analysis

Some error messages, such as the one produced by the pagination component, may contain user provided input. Such a message was then presented to the user as the title of the page, without being filtered.

Mitigation and remediations

A fix was deployed as part of Passbolt API v4.6.2. Error messages are now not used as part of the page title.

Acknowledgments

Passbolt would like to acknowledge and thank Ruben Meeuwissen for uncovering and reporting the vulnerability.

Timeline of events

• 2024-04-10: Vulnerability reported by security researcher
• 2024-04-10: Vulnerability analysis and acknowledgement to security researcher
• 2024-04-11: A fix is published as part of passbolt API v4.6.2
• 2024-04-16: CVE requested and incident page published