ID Product Version Vulnerability
SUID-2019-00002* Scytl Secure Vote (sVote) 2.1 XSS


Looking at the following file it is possible to observe potentially unsafe practices (source-code\online-voting-channel\ov-commons\ov-commons-correctness\src\main\java\com\scytl\products\ov\commons\correctness\builder\attributes\ ):
public void generateCorrectnessCode(StringBuilder sb) { Set> entrySet = questions.entrySet(); for (Entry entry : entrySet) { sb.append("result = function (subSelection, callbackFunction) {"); sb.append("var partialResult = true;"); sb.append("var selectionName = '").append(contestId).append("';"); sb.append("var attributeName = '").append(entry.getKey()).append("';"); sb.append("var max = ").append(entry.getValue().intValue()).append(";"); sb.append("var count = 0;"); The line sb.append("var selectionName = '").append(contestId).append("';"); appends an ID without validating it.
The whole function gets called here:
public ContestCorrectionBuilder(String contestId, AttributesCorrectnessBuilder attributesCorrectnessBuilder) { this.contestId = contestId; this.attributesCorrectnessBuilder = attributesCorrectnessBuilder; } None of the calls are escaped. Which means that somebody that gets access to a context object can inject dynamic js code and for example redirect to shady sites or steal cookies.
A safe example would be using a js array and converting it to a string or escaping the provided strings.
The contestId was, however never user-controlled and thus not directly vulnerable.
Further iterations might reuse code or implement unsafe coding practices which render the vulnerability exploitable.

Disclosure Timeline


Jannis Kirschner & Anthony Schneiter from Team SUID

*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.