4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.9%
Title: GWTUpload XSS in the file upload functionality Advisory ID: CORE-2020-0003 Date published: 2020-03-04 Date of last update: 2020-03-04 Vendors contacted: Manuel Carrasco Moñino (<https://github.com/manolo/gwtupload>) Release mode: Forced release
Class: Failure to Preserve Web Page Structure (‘Cross-site Scripting’) | CWE-79 **Impact: **Code execution allow privilege escalation **Remotely Exploitable:**Yes **Locally Exploitable:**Yes CVE Name: CVE-2020-9447
GWTUpload is a library for uploading files to web servers that features real-time updates on file size, bytes transferred, and other relevant information during upload. It was developed by Manuel Carrasco Moñino and is available on GitHub, the software development site used primarily for hosting source code and providing version control, issue tracking, and documentation capabilities.
There is an XSS (cross-site scripting) vulnerability present in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.
No version has been released to fix the reported issue.
Patches have been developed which will sanitize the upload file:
This vulnerability was discovered and researched by Alikhan Uzakovfrom the Application Security Team of Clearswift, A Fortra Company.
The publication of this advisory was coordinated by Pablo Zurro from the CoreLabs Advisories Team.
GWTUpload provides a functionality to upload files to web servers, showing a progress bar with real-time updates about the process (file size, bytes transferred, etc). It uses Ajax requests to ask the web server for the upload progress. It has two components written in Java: the server side with servlet and utility classes, and the client side that is compiled into Javascript using GWT. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file,leading to the execution of malicious code.
This proof of concept demonstrates the vulnerability.
This vulnerability can be reproduced as follows:
2019-11-12 – Contacted library creator on the via email. Unfortunately, no response was received.
2020-02-12 – Opened a GitHub issue.
2020-02-28 – Requested and received CVE from Mitre.
2020-03-04 – Sent fixes to GitHub project with patches.
2020-03-05 – Library creator informed about the advisory publication.
202-03-16 – Advisory published.
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at www.coresecurity.com/core-labs.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at [email protected]
The contents of this advisory are copyright © 2020 Core Security and © 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.9%