Listen to this Post
The reflected Cross-Site Scripting (XSS) vulnerability exists in the GET /admin/edit-codepage/:name route where the ‘name’ parameter is directly inserted into the page’s breadcrumbs without proper sanitization. This allows an attacker to inject malicious JavaScript code into the response. When an admin user with an active session clicks a crafted link containing the payload, the script executes in their browser context, potentially hijacking their session. The Command Injection vulnerability occurs in the GET /admin/backup endpoint where user-supplied input from the ‘backup password’ field is unsafely incorporated into a shell command used for creating backups. An attacker can inject arbitrary commands by including shell metacharacters, which are then executed on the server with the privileges of the Saltcorn process. These two vulnerabilities can be chained: an attacker first crafts a malicious link exploiting the XSS to force the admin’s browser to make a request to the backup endpoint with injected commands. This leads to remote code execution on the server without the admin’s direct interaction beyond clicking the link, as the JavaScript can silently trigger the command injection request.
Platform: Saltcorn
Version: >=1.3.0
Vulnerability: XSS, Command Injection
Severity: Critical
Date: Unknown
Prediction: Unpatched
What Undercode Say:
Analytics
https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.jsL4886-L4887
https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.tsL381-L382
http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A
“;$(whoami);”
how Exploit:
Craft XSS link.
Inject backup password.
Chain for RCE.
Protection from this CVE
Sanitize user input.
Validate shell commands.
Use CSRF tokens.
Impact:
Admin session hijack.
Remote code execution.
Server compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

