ID | Product | Version | Vulnerability |
---|---|---|---|
SUID-2019-00002* | Scytl Secure Vote (sVote) | 2.1 | XSS |
public void generateCorrectnessCode(StringBuilder sb) {
Set> entrySet = questions.entrySet();
for (Entry entry : entrySet) {
sb.append("result = function (subSelection, callbackFunction) {");
sb.append("var partialResult = true;");
sb.append("var selectionName = '").append(contestId).append("';");
sb.append("var attributeName = '").append(entry.getKey()).append("';");
sb.append("var max = ").append(entry.getValue().intValue()).append(";");
sb.append("var count = 0;");
The line sb.append("var selectionName = '").append(contestId).append("';"); appends an ID without validating it.
The whole function gets called here:
public ContestCorrectionBuilder(String contestId, AttributesCorrectnessBuilder attributesCorrectnessBuilder) {
this.contestId = contestId;
this.attributesCorrectnessBuilder = attributesCorrectnessBuilder;
}
None of the calls are escaped. Which means that somebody that gets access to a context object can inject dynamic js code and for example redirect to shady sites or steal cookies.
A safe example would be using a js array and converting it to a string or escaping the provided strings.
The contestId was, however never user-controlled and thus not directly vulnerable.
Further iterations might reuse code or implement unsafe coding practices which render the vulnerability exploitable.
Jannis Kirschner & Anthony Schneiter from Team SUID
*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.