CVE CyberSecurity Database News

CVE-2023-47260 - Exploiting XSS in Redmine Thumbnails (Analysis & Exploit Demo)

Poster -

Redmine is a popular open-source project management web application—used by dev teams worldwide for tracking issues and projects. It’s stable, flexible, and widely trusted… Until a flaw like CVE-2023-47260 comes up!

On November 2023, security researchers discovered and reported a nasty cross-site scripting (XSS) vulnerability in Redmine. If your Redmine is below 4.2.11 or on 5..x below 5..6—it’s at risk!

In this post, we’ll explain CVE-2023-47260 in plain English, walk you through the cause, the fix, and demonstrate a simple proof-of-concept (PoC) exploit. Let’s get started!

What is CVE-2023-47260?

CVE-2023-47260 is a stored XSS vulnerability in how Redmine displays image thumbnails. By uploading a specially-crafted file, an attacker injects JavaScript code. Whenever the thumbnail is loaded—BOOM! The script runs in the victim’s browser. This can lead to data theft, account takeover, or session hijacking.

How Does It Work? (Simple Explanation)

Redmine allows users to upload files (attachments) to issues, wiki pages, etc. It tries to show thumbnails for image files. But attackers found that if they upload a “fake image” containing malicious HTML or JavaScript (disguised as an image), Redmine could display that content as-is, especially if the thumbnail renderer fails to block non-image files.

Attacker uploads a file named like test.png but it contains dangerous HTML.

2. Redmine thinks it’s an image and displays a preview/thumbnail.

Exploit Demo: The 'XSS Image'

Here’s a basic step-by-step PoC for this XSS (for educational purposes only!).

The attacker creates a text file and names it evil.png. The contents look like this

<!-- Save as evil.png -->
<html>
  <body>
    <script>
      alert('XSS by evil user! Document.cookie: ' + document.cookie);
    </script>
    <img src="x" onerror="alert('Another XSS!')">
  </body>
</html>

Anyone who views the page triggers the script in their browser.

Result:
The victim will see a JS alert box, but in real attacks, the script could steal cookies, impersonate users, or perform further attacks.

How is This Possible? (Code-Level Glance)

The bug stems from incomplete checking of uploaded file content. Redmine uses the file extension to guess whether a file is an image, but does not always verify its actual MIME type before displaying as a preview.

Excerpt of relevant code (simplified)

# app/views/attachments/_thumbnail.html.erb

<% if attachment.is_image? %>
  <%= image_tag(url_for(attachment.thumbnail)) %>
<% end %>

If evil.png is treated as an image, its contents might be rendered unsafely.

- Browsers can parse and run scripts found in files referenced as images, especially with crafted headers.

Sanitizing output further to prevent script execution.

If your Redmine is affected:
Upgrade to 4.2.11, 5..6, or later.
Official patch release:
- Redmine: Security Advisories
- Release notes 4.2.11
- Release notes 5..6

Exploit Details & Mitigations

Exploit impact:

Defaces pages, injects persistent JavaScript.

Mitigations:

References

- Original CVE entry
- Redmine security advisory page
- Patch commit on Redmine GitHub

Wrapping Up

CVE-2023-47260 is a reminder that file upload features—especially those that generate previews/thumbnails—are prime targets for XSS.
Patch early, patch often, and never trust user input (or uploads), no matter how harmless they seem!

Timeline

Published on: 11/05/2023 04:15:10 UTC
Last modified on: 11/14/2023 18:30:09 UTC