PT-2024-26902 · Unknown · Reposilite
Artsploit
·
Published
2024-06-19
·
Updated
2024-12-19
·
CVE-2024-36115
CVSS v4.0
7.7
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Reposilite versions prior to 3.5.12
Description
The issue lies in the fact that the artifact's content is served via the same origin as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. This allows access to the browser's local storage where the user's password is stored. The attack can be performed from the admin browser, even if the Reposilite instance is located in an isolated environment. This issue may lead to the full Reposilite instance compromise, and in the worst case scenario, an attacker would be able to obtain Remote code execution on all systems that use artifacts from Reposilite.
Recommendations
For versions prior to 3.5.12, consider the following options to remediate this vulnerability:
- Use the "Content-Security-Policy: sandbox;" header when serving artifact's content to restrict javascript execution.
- Use the "Content-Disposition: attachment" header to prevent the browser from displaying the content entirely. Additionally, reconsider how the website authentication works for Reposilite, and consider issuing a one-time session ID or a token to the browser after checking the login/password on the server. These session IDs or tokens should have limited validity time. Upgrade to version 3.5.12 to address this issue.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reposilite