BigID PrivacyPortal Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in BigID PrivacyPortal version 179. This issue allows authenticated users to inject JavaScript into report templates via the 'Label' field. The injected script is executed in the context of all users viewing the report, potentially leading to session hijacking and unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the report. This could lead to session hijacking and unauthorized actions within the application.

Reproduction

The vulnerability can be reproduced by logging into BigID PrivacyPortal v179 and navigating to the report template function. Inject JavaScript into the 'Label' field, bypassing client-side validations, and exploit the injection by manipulating the Content Security Policy.

Remediation

BigID has released a patch that sanitizes the 'Label' input in report templates, removing the ability to inject scripts. Users should update to the latest version of BigID PrivacyPortal to address this vulnerability.