CVE-2023-32193

Name of the Vulnerable Software and Affected Versions Norman API versions prior to the patched versions

Description A vulnerability has been identified in Norman's public API endpoint, allowing unauthenticated cross-site scripting (XSS) to be exploited. This can lead to an attacker triggering JavaScript code and executing commands remotely. The attack vector was identified as a Reflected XSS, where the API propagates malicious payloads from user input to the UI, rendering the output. For example, a malicious URL can be rendered into a script that is executed on a page.

Recommendations To resolve the issue, update Norman API to a patched version, such as those including commits 3bb70b7, a6a6cf5, cb54924, 7b2b467, or bd13c65. As a temporary workaround, consider implementing security measures to encode input from the request URL before adding it to the response, and escape request input by changing the URL construction to use url.URL and escaping JavaScript and CSS variables with attribute encoding.