Multiple Cross-Site Scripting (XSS) vulnerabilities in Hubzilla 7.0.3 and earlier allows remote attacker to include arbitrary web script or HTML via the rpath parameter.
CVE: CVE-2022-27258Severity: 7.4 (High)
CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerable application: Hubzilla
Component: Settings modules
Vulnerable versions: Any version before 7.2
Fixed in: version 7.2
A number of settings modules does not sanitise or escape the
rpath query parameter before outputting it into an html attribute, leading to a reflected Cross-Site Scripting (XSS) vulnerability.
An attacker could use this to inject arbitrary JavaScript into a victims' session by enticing them to click a link.
Proof of concept
https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>
Remediation
It is recommended to upgrade to version 7.2 or later, where this issue is fixed.
Credits
This issue was [url=https://volse.net/~haraldei/infosec/disclosures/hubzilla-before-7-2-multiple-vulnerabilities/)originally reported[/url] and fixed by Harald Eilertsen.
#
security #
cve #
hubzilla #
xss
