CVE-2022-21186 The package @acrontum/filesystem-template before 0.0.2 is vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.

CVE-2022-21186 The package @acrontum/filesystem-template before 0.0.2 is vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.

It is possible to inject a command from a remote site by setting the src field of the href attribute to a malicious URL.

Now let’s see how to exploit this vulnerability in the following code.

!DOCTYPE HTML> html> head> title>Vulnerability Test/title> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax

Steps to reproduce:

1. Open any webpage
2. Observe that the stylesheet URL is vulnerable to remote injection
3. Save the webpage with an attacker's style sheet URL as src (e.g. https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css)
4. Refresh the page and observe that the attacker's style sheet is applied
5. Click on "Show more" next to a text box and observe that the text can be overwritten
6. Repeat steps 3-5 using different URLs
7, Click on "Save" next to a text box and observe that it also can be overwritten

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe