Missing input validation and output encoding allows JavaScript injection, leading to Reflected Cross Site Scripting (XSS).
Reflected Cross Site Scripting may be used to inject arbitrary JavaScript to the Microsoft System Center 2016 _authenticated _page. One may intercept the below GET request and modify the SpaceID to inject arbitrary strings into the left navigation pane of the web console.
GET/OperationsManager/InternalPages/NavigationTree.aspx?SpaceId=1002&ViewId=Favorites_Overview HTTP/1.1
Here is an example of an arbitrary string:
abc%3E%3C",β00000000-0000-0000-0000-000000000000β);alert(1);//%3E
A malicious JavaScript, once injected, can modify the current behavior of the page and deliver: trojans, force malicious redirections, content spoofing, keyloggers, content leakage, VIEWSTATE and validatorsβ tokens leakage (defeating anti-CSRF controls), etc.
Note: The attack is applicable to any viewID value and every request with SpaceID query string parameter.
Expected result: Invalid SpaceID error or empty pane and no execution of random JavaScript Outcome: Arbitrary JavaScript executed.
Implement strict input validation. Only integers are accepted as SpaceID, so the data type check against the input is sufficient to remediate the vulnerability.
We have added a check to ensure that the SpaceID is a supported value only (1001 and 1002), else the data in the tree is empty.
See the security guidance advisory on CVE-2020-1331.
Reflected Cross Site Scripting, Content Spoofing