Introduction
A vulnerability identified by security researcher Ruben Meeuwissen allows an attacker to deface the error page using custom URL parameters.
- CVSS Score: 4.0 (Medium)
- CVE: In progress
- Vulnerability Type: HTML Injection
- Product affected: Passbolt API
- Versions affected: Passbolt API <= v4.6.1
- Version fixed: Passbolt API v4.6.2
- Affected component: Error pages
Vulnerability details
The vulnerability allows for HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, as defined in the default configuration, it may still impact the appearance and user interaction of the page.
Impact analysis
Impact on the integrity of the content is limited to the error pages. The confidentiality or availability of the information is not impacted.
Root cause analysis
Some error messages, such as the one produced by the pagination component, may contain user provided input. Such a message was then presented to the user as the title of the page, without being filtered.
Mitigation and remediations
A fix was deployed as part of Passbolt API v4.6.2. Error messages are now not used as part of the page title.
Acknowledgments
Passbolt would like to acknowledge and thank Ruben Meeuwissen for uncovering and reporting the vulnerability.
Timeline of events
- 2024-04-10: Vulnerability reported by security researcher
- 2024-04-10: Vulnerability analysis and acknowledgement to security researcher
- 2024-04-11: A fix is published as part of passbolt API v4.6.2
- 2024-04-16: CVE requested and incident page published
