GoSecure Titan Labs discovered a stored cross-site scripting (XSS) vulnerability in IBM Content Navigator. Users are strongly advised to upgrade to version 3.0.9 or above. This blog post details the vulnerability, its impact and provides a proof of concept for exploitation.

IBM Content Navigator is, according to IBM, a flexible, full featured content management solution. The application is vulnerable to Stored Cross-Site Scripting (XSS) injections via its file upload functionality. An attacker may be able to upload malicious HTML content and trick the user into clicking on the malicious link generated by the application or preview the document that contains the JavaScript code. Once triggered, the malicious JavaScript code is executed in the victim’s browser.
 

Impact

IBM rated this vulnerability with a CVSS 3.0 rating of 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) which results in a medium severity vulnerability.

Exploitation of this issue could allow attackers to execute code in the victim’s browser that could lead to accessing certain types of data such as cookies or credentials within a trusted session.

While exploitation of this issue does require authentication to the platform using a low privilege account and interaction of the targeted user with the malicious link generated by the platform, the technical requirements remain low since only basic JavaScript coding knowledge is required to perform the attack.
 

Technical Analysis

In the IBM Content Navigator platform, users can upload files that will then be served by the platform. To exploit the vulnerability associated with this feature, an attacker needs to upload a malicious file containing HTML content via the file upload functionality. Successful exploitation could allow the attacker to obtain the victim’s session cookie or conduct social engineering attacks.

For instance, a valid attack scenario would be to clone the application’s login page within the malicious HTML file. Once opened it would alert the end-user that their session has expired prompting them to enter their credentials and therefore potentially lead to account takeover.

Exploitation of this vulnerability can be achieved using the following steps:

1st Step: Create the HTML file containing the malicious payload. For this demonstration, the following payload was used:

<html>
<head>POC Cookie Grabber</head>
<body>
<img src=# onerror=alert(document.cookie)>
"><iframe/src=javascript:alert(document.cookie)>
</body>
</html>

 
2nd Step: Click on the drop-down icon to select the upload file option.

 
3rd Step: Upload the file

Search for the file via the AppID assigned in step 2 and then select the result for the search AppID and either “Preview” or “Open in a new tab”.

 
This will display the XSS and user’s cookie.
 

Mitigation

To ensure adequate protection against this vulnerability, update IBM Content Navigator to version 3.0.9 and above.

If this is not currently possible, as mentioned by IBM, the IBM Content Navigator viewer map can be configured to prevent users from opening or previewing certain types of documents as described in this article: https://www-03preprod.ibm.com/support/knowledgecenter/SSEUEX_3.0.8/com.ibm.installingeuc.doc/eucco011.htm
 

Conclusion

Vulnerabilities like Cross-Site Scripting, caused by a lack of user-input filtering, are well known but are still very prevalent. By using well-known security solutions, following secure development practices, and ensuring that commercial applications are always up to date, you can avoid vulnerabilities like these and keep your application secure.

This vulnerability was assigned CVE-2020-4757 and has been disclosed to the vendor following our responsible disclosure process. The IBM Security Bulletin is available here.

Vulnerability identified and documented by Olivier Laflamme and blog post by Louis-Philippe Frenette Blais.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858