D-Woosley

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1 **Description** Rucio software contains a reflected Cross-site Scripting (XSS) issue in the rendering of the ExceptionMessage of the WebUI 500 error. This could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. The issue arises because the `ExceptionMessage`, which can contain user-controlled input, is rendered as unencoded HTML. Server code in `common.py` (specifically `error headers`, ` error response`, and `generate http error flask`) places the `ExceptionMessage` into response headers and the JSON body. The WebUI client then injects this text into the Document Object Model (DOM) using unsafe methods like `jQuery.html(...)` in files such as `rule.js`, `request rule.js`, and `list rules.js`, enabling reflected XSS. An attacker can craft a URL containing a malicious payload, such as an `<img src=x onerror=alert(document.cookie)>` tag, which will execute when a user visits the URL. This allows the attacker to potentially steal session tokens due to the lack of the HttpOnly attribute on the session cookie and the absence of a Content Security Policy. Exploitation can occur through the account parameter in URLs or during account key attribute creation errors. An attacker could potentially create a new UserPass identity for the root account. **Recommendations** For versions prior to 35.8.3, change all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes/escape HTML before insertion. For versions prior to 38.5.4, change all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes/escape HTML before insertion. For versions prior to 39.3.1, change all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes/escape HTML before insertion. Consider adding a Content Security Policy (CSP) to mitigate external script execution. Set the HTTPOnly flag for session cookies. Avoid setting the API token in a JavaScript variable.

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1 **Description** Rucio’s WebUI login endpoint, `/ui/login`, returns different error messages based on whether a supplied username exists. This allows unauthenticated attackers to enumerate valid usernames. Specifically, a non-existent username results in an error message indicating no associated account, while an existing username with an incorrect password produces a different authentication error. This behavioral difference enables attackers to determine valid usernames. Exploitation of this issue may allow for targeted password guessing, credential stuffing, or social engineering attacks. **Recommendations** For versions prior to 35.8.3, return a generic authentication failure message for all login errors, regardless of whether the username exists. For versions prior to 38.5.4, return a generic authentication failure message for all login errors, regardless of whether the username exists. For versions prior to 39.3.1, return a generic authentication failure message for all login errors, regardless of whether the username exists.

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 **Description** Rucio software contains a stored Cross-Site Scripting (XSS) issue within the Custom Rules function of the WebUI. Attackers can inject malicious code through the `comment` field, which is then stored and executed when other users view the affected pages. This allows for arbitrary JavaScript execution in the context of the WebUI, potentially leading to session token theft or unauthorized actions. The issue arises because attacker-controlled input is not properly encoded before being rendered in the WebUI. The vulnerability can be triggered by creating a new rule and including a malicious payload in the `comment` field. The malicious script is then executed when the rule is viewed or approved. The API endpoint used for creating the request is `/proxy/rules/`. The vulnerable parameter is `comment`. An attacker could potentially create a new UserPass identity or exfiltrate data. **Recommendations** Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later. Ensure all client-side renderings of server-provided or user-controlled data implement proper HTML escaping before insertion into the DOM. Enforce a strict Content Security Policy (CSP). Set the HttpOnly flag on session cookies. Avoid exposing API tokens in JavaScript-accessible variables.

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1 **Description** Rucio is a software framework used to organize, manage, and access large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the RSE metadata of the WebUI. Attackers can inject malicious input that is stored by the backend and then displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages. This could potentially lead to session token theft or unauthorized actions. The vulnerability affects the 'City', 'Country Name', and 'ISP' attributes when creating or modifying RSEs through the Admin > RSE Management interface. An attacker could use a POST request to the `/proxy/rses/XSSTEST` API endpoint with a malicious payload in the JSON body to exploit this issue. The impact is amplified by the lack of the HttpOnly flag on session cookies and the exposure of API tokens in JavaScript variables. An attacker could potentially create a new UserPass identity or exfiltrate data. **Recommendations** Versions prior to 35.8.3 should be upgraded to version 35.8.3 or later. Versions prior to 38.5.4 should be upgraded to version 38.5.4 or later. Versions prior to 39.3.1 should be upgraded to version 39.3.1 or later. Ensure all client-side renderings of server-provided or user-controlled data implement proper HTML escaping before insertion into the DOM. Enforce a strict Content Security Policy (CSP). Set the HttpOnly flag on session cookies. Avoid exposing API tokens in JavaScript-accessible variables.

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 **Description** Rucio is a software framework used for organizing, managing, and accessing large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the Identity Name of the WebUI. Attackers can inject malicious code that is saved by the backend and displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages, potentially leading to session token theft or unauthorized actions. The vulnerability is triggered by submitting a malicious payload via a POST request to the `/proxy/accounts/{account}/identities` API endpoint, specifically within the `identity` parameter. The payload is stored and then executed when viewing the account details. An attacker could potentially create a new root UserPass identity or exfiltrate data. **Recommendations** Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 **Description** Rucio is a software framework used to organize, manage, and access large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the Custom RSE Attribute of the WebUI. Attackers can inject malicious input that is saved by the backend and then displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages, potentially leading to session token theft or unauthorized actions. The issue is triggered by creating a custom RSE attribute via the Admin > RSE Management > RSE NAME > Add Attribute path and then viewing the RSE via Admin > RSE Management > RSE NAME . The attack utilizes a POST request to the `/proxy/rses/WEB1/attr/XSS` endpoint with a payload in the request body, such as `{"value":"<script>alert('XSS')</script>"}`. An attacker could exploit this to create a new UserPass identity or exfiltrate data. The impact is amplified by the lack of the HttpOnly flag on session cookies and the exposure of API tokens in JavaScript variables. **Recommendations** Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later.