A Pressbooks stored cross site scripting vulnerability was discovered in all version ≤ 5.17.3. The application is vulnerable to Stored Cross-Site Scripting (XSS) injections via description body. An attacker can thus trick a user into clicking on a malicious link or preview the document that contains the JavaScript code. Once triggered, the malicious JavaScript code is fed in the victim’s browser and executed.

Pressbooks is an open-source book content management system that exports in multiple formats: ebooks, webbooks, print-ready PDF, and various XML flavours. The system is built on top of WordPress Multisite.

Pressbooks Logo
Pressbooks Logo
A Pressbooks stored cross site scripting vulnerability was discovered in all version ≤ 5.17.3. The application is vulnerable to Stored Cross-Site Scripting (XSS) injections via description body. An attacker can thus trick a user into clicking on a malicious link or preview the document that contains the JavaScript code. Once triggered, the malicious JavaScript code is fed in the victim’s browser and executed.

Pressbooks is an open-source book content management system that exports in multiple formats: ebooks, webbooks, print-ready PDF, and various XML flavours. The system is built on top of WordPress Multisite.

To exploit the vulnerability, an attacker needs to create an account, which will create a book in which they will edit the description body of the book info with their malicious code. Only basic JavaScript coding knowledge is required to perform such attacks. A successful attack can lead the attacker to obtain the victim’s session cookie. A valid attack scenario would be to clone the applications login page within the malicious HTML file. Once opened or previewed it would alert the end user that their session has expired promoting them to enter their credentials. This could lead to account takeover.

The steps to reproduce this XSS are to go to the “book info” page and then under the “long description” insert the following code:

pressbooks-blog-image-2
Inject the following code into the “Long Description”:
<html>
<body>
<img src=# onerror=alert(document.cookie)>
</body>
</html>
Then the book information is saved.
pressbooks-blog-image-3
The XSS will trigger every time a user visits the published pressbook book.
pressbooks-blog-image-4

Impact

Stored cross site scripting.

A valid attack scenario would be to clone the applications login page, store it within the malicious HTML file. Once opened it would alert the end user that their session has expired promoting them to enter their credentials. This could lead to account takeover.

Technical Analysis

Entries entered by users should by systematically validated before processing and storage. Pressbooks should not allow HTML entities to be reflected onto the page. The use of character allow lists via strict regular expression on entries is the most effective means of mitigation against this type of attack. In addition, it is highly recommended to systematically encode user or database data into an inert format for Web browsers before sending them back to the user. The lack thereof of such implementation lead to stored cross site scripting.

Vendor Response

The Pressbooks development team sanitizes metadata book info metaboxes to prevent XSS attacks on fields that allows HTML input, this uses Htmlawed to filter and sanitize the input values. The security flaw in the pressbooks application was resolved with a pull-request merged into the dev branch of the main Pressbooks repository which addresses this vulnerability. A stable version of Pressbooks was released in late January of 2021 which includes this fix.

Timeline

  • Disclosed to the vendor January 1st, 2021
  • Acknowledged and fix was published to the dev branch on January 13th, 2021
  • Retests confirmed fix of vulnerability January 13th, 2021
  • CVE assigned January 22nd, 2021

Conclusion

Unsanitized user-input continues to be a concern in Web applications even after years of developer awareness. Although a textbook XSS, we believe publishing proof of concept for vulnerabilities like this is important as an incentive for organizations to patch.

Assigned CVE-2021-3271

Clients of GoSecure Managed Detection and Response (MDR) with the Network Detection and Response component have detection capabilities in-place in case of exploitation of this vulnerability.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858