CVE-2023-48681 - Self Cross-Site Scripting (XSS) in Acronis Cyber Protect 16 Storage Nodes Search – How it Works and How to Stay Safe

CVE-2023-48681 is a self cross-site scripting (XSS) vulnerability found in the storage nodes search field of Acronis Cyber Protect 16 (both Linux and Windows versions), affecting builds before 37391. This flaw, although requiring the user to interact with malicious input, could allow an attacker to execute scripts in the user's browser, possibly leading to information disclosure or unwanted actions in the web interface.

In this article, we break down what the vulnerability means, how it can be exploited, and what you should do about it. We’ll also show some code snippets to help you understand the issue better.

What is Self XSS?

Self-XSS (Self-Cross-Site Scripting) happens when an application fails to sanitize user input and reflects it back in a webpage. In self-XSS, the attacker can't directly exploit another user but instead relies on convincing legitimate users to paste and execute malicious scripts themselves.

While this is less dangerous than regular XSS that's wormable, it's still a problem — especially in environments where users might not know the risks or could be tricked by social engineering.

Versions: Before build 37391

If you’re running an older build, your system is at risk.

How the Vulnerability Works

The storage nodes search field in the affected versions did not properly sanitize input. If a user searched for something containing JavaScript code or HTML tags, the web interface would reflect this input back into the page—and execute it.

An attacker crafts a malicious search string containing JavaScript.

2. The attacker convinces a user (maybe an administrator) to paste this into the storage nodes search field.
3. The user performs the search, and the web page executes the embedded script, running in the context of their account.

Here’s a simplified version to illustrate the problem

<!-- Simplified vulnerable code -->
<form method="get">
    <input name="search" value="<?php echo $_GET['search']; ?>">
    <button type="submit">Search</button>
</form>

In this example, whatever is in the search parameter gets reflected back into the input field without sanitization.

`

Let’s see what an attacker might use in the storage nodes search

"><script>alert('You have an XSS!')</script>

If the application places this directly into the page without escaping the characters, it pops up the alert box.

In a more sophisticated attack, instead of a simple alert, the attacker could try to steal cookies or perform actions on behalf of the user.

Exploit Scenario

- An attacker sends a support link or message suggesting, "Try searching for this to troubleshoot corruption issues: "><img src=x onerror=alert('XSS')>

How to Mitigate the Vulnerability

### 1. Patch/Update

Update to Acronis Cyber Protect 16 build 37391 or later.

- Acronis downloads and update instructions

Example fix

<input name="search" value="<?php echo htmlspecialchars($_GET['search'] ?? '', ENT_QUOTES); ?>">

References

- NVD – CVE-2023-48681 National Vulnerability Database Entry
- Acronis Cyber Protect 16 release notes & updates
- OWASP: Cross-Site Scripting (XSS)

Final Thoughts

While CVE-2023-48681 is a self-XSS and not directly exploitable in automated attacks, it still poses a risk if users are not careful. For anyone managing Acronis Cyber Protect 16, updating to the latest build is a must. Don't let small things slip—they can add up to big issues.

Timeline

Published on: 02/27/2024 17:15:10 UTC
Last modified on: 02/28/2024 14:07:00 UTC