Lucene search

GoogleOSV:GHSA-XR7P-8Q82-878Q

HistoryDec 06, 2022 - 3:36 p.m.

teler dashboard vulnerable to DOM-based cross-site scripting (XSS)

2022-12-0615:36:15

Google

osv.dev

dom-based cross-site scripting

teler dashboard

version 2.0.0-rc.4

event stream

log data

authenticated users

threat detection

low severity

affected versions

patches

workarounds

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.5%

JSON

Description

teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.

Impact

This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.

Affected Version

This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.

Patches

This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.

Workarounds

Here are some workarounds to handle this case:

Deactivate the live event dashboard from the configuration file, or
Upgrade teler version to v2.0.0-rc.4 or v2.0.0-dev.2 & above.

References

https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e