Post Syndicated from Dr. Mike Cohen original https://blog.rapid7.com/2023/11/10/cve-2023-5950-rapid7-velociraptor-reflected-xss/
This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. We want to thank Mathias Kujala for working with the Velociraptor team to identify and rectify this issue. It has been fixed as of Version 0.7.0-4, released November 6, 2023.
CVSS · HIGH · 8.6/10 · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
- Scoring scenario: GENERAL
- attackVector: NETWORK
- attackComplexity: LOW
- privilegesRequired: NONE
- userInteraction: NONE
- scope: UNCHANGED
- confidentialityImpact: HIGH
- integrityImpact: LOW
- availabilityImpact: LOW
Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user’s web browser. This vulnerability is fixed in version 0.7.0-4 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1). This issue affects the server only.
Problem
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Remediation
To remediate these vulnerabilities, Velociraptor users should upgrade their servers.
Product Status
Product affected: Rapid7 Velociraptor prior to 0.7.0-4
Credits
Mathias Kujala
References
docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
Timeline
- 2023-11-02 – Notification of the issue
- 2023-11-06 – Release 0.7.0-4 made available on Github