^{CVE-2021-30213:}Unauthenticated Reflected XSS in Knowage Suite 7.3

Overview

This vulnerability (CVE-2021-30213) is a reflected cross-site scripting (XSS) issue in Knowage Suite 7.3, an open-source business intelligence and analytics platform. The vulnerability is particularly severe because it doesn't require authentication to exploit, making it accessible to unauthenticated attackers. When exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could lead to cookie theft, session hijacking, credential harvesting, or other client-side attacks. The vulnerable component is the '/servlet/AdapterHTTP' endpoint which improperly handles user input from the 'targetService' parameter.

Remediation

1. Update Knowage Suite to the latest version that contains a fix for this vulnerability.
2. If immediate updating is not possible, implement the following mitigations:
   • Configure a Web Application Firewall (WAF) to filter malicious requests targeting the vulnerable parameter.
   • Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts.
   • Consider using input validation at the proxy or load balancer level to sanitize the 'targetService' parameter.
3. Regularly audit web application endpoints for proper input validation and output encoding.
4. Ensure that all user inputs are properly sanitized before being reflected back in HTTP responses.
5. Apply the principle of least privilege for web application components and services.

References

1. Vulnerability details and proof of concept: https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/XSS-KnowageSuite7-3_unauth.md
2. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): https://cwe.mitre.org/data/definitions/79.html
3. OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html