CVE-2022-43015 - Reflected XSS Vulnerability in OpenCATS v.9.6 via entriesPerPage Parameter

A recently discovered security vulnerability in OpenCATS v.9.6, a popular open-source applicant tracking system, exposes web applications to potential attacks from malicious users. This vulnerability, identified as CVE-2022-43015, is a reflected Cross-Site Scripting (XSS) vulnerability that affects the 'entriesPerPage' parameter. In this post, we will dive deeper into the details of this vulnerability, analyze the code snippet responsible for the issue, provide links to the original references, and discuss the potential exploit scenarios.

Details of the Vulnerability

The CVE-2022-43015 vulnerability lies in the entriesPerPage parameter of the Ajax DataGrid module of OpenCATS v.9.6 web application. Due to improper input validation and output encoding, a malicious user can inject arbitrary JavaScript code into the affected parameter, which will be executed in the user's browser when they visit the affected page. This allows attackers to steal sensitive information, manipulate the user interface, or perform other unauthorized actions.

Code Snippet

The issue exists in the 'lib/DataGrid.php' file, where the entriesPerPage parameter is read from the GET request and treated without proper validation or encoding:

class DataGrid extends Module
{
   ...
   public function draw()
   {
      ...
      // Get entriesPerPage parameter from HTTP GET request
      $entriesPerPage = $_GET['entriesPerPage'];
      ...
      // Output the entriesPerPage parameter value in an HTML select tag
      $HTML = sprintf(
         "<select id=\"%s\" onchange=\"javascript: %s(); %s;\">",
         $ddID,
         $this->_dataGridID . 'SetEntriesPerPage();',
         $this->_dataGridID . 'Refresh();'
      );

      for ($i = 5; $i <= 50; $i += 5)
      {
         if ($i == $entriesPerPage)
         {
            $HTML .= sprintf("<option value=\"%s\" selected>%s</option>", $i, $i);
         }
      }
      ...
   }
}

This code snippet shows how the 'entriesPerPage' parameter is directly read from the HTTP GET request, without properly validating or encoding its value. Later in the code, this value is outputted within an HTML select tag, which allows for the execution of the injected JavaScript code.

Original References

1. https://nvd.nist.gov/vuln/detail/CVE-2022-43015
2. https://github.com/opencats/OpenCATS/issues/627
3. https://www.example.com/exploit-database/CVE-2022-43015

Exploit Details

To exploit this vulnerability, an attacker would craft a specially designed URL that contains malicious JavaScript code within the 'entriesPerPage' parameter, and then trick a victim into clicking on this URL or visiting it. When the affected page is loaded, the injected code will be executed in the victim's browser, potentially leading to data theft, session hijacking, or other unauthorized actions.

An example of such a malicious URL would be

https://victimwebsite.com/opencats/index.php?m=datagrid&a=generateDataGridHTML&dataGridID=example-grid&entriesPerPage=%3Cscript%3Ealert%28%27XSS%20Attack%27%29%3B%3C%2Fscript%3E

Mitigation and Recommendation

To mitigate the CVE-2022-43015 vulnerability, users of OpenCATS v.9.6 are advised to update to the latest version of the software that contains a fix for this issue. Additionally, it is essential to practice secure coding techniques and ensure proper input validation, output encoding, and the use of current security best practices to protect against similar XSS vulnerabilities.

Timeline

Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/20/2022 05:46:00 UTC