Jakowenko Double-Take Cross-Site Scripting Vulnerability in API Component

A cross-site scripting (XSS) vulnerability has been identified in Jakowenko Double-Take versions through 1.13.1. The issue resides in the API component, specifically within the 'app.use' function of 'api/src/app.js'. The vulnerability is triggered by manipulating the 'X-Ingress-Path' header, allowing for the injection of arbitrary JavaScript. This reflected XSS can be exploited remotely, particularly through misconfigured reverse proxies or malicious browser extensions.

Impact

Exploitation of this vulnerability allows for unauthenticated reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the victim's browser session. This could lead to stealing session cookies or authentication tokens, extracting sensitive information, or impersonating users for social engineering attacks.

Reproduction

To reproduce this vulnerability, download Double-Take version 1.13.1 and start it using Docker. Once the application is running, inject a script payload into the 'X-Ingress-Path' header and access the Double-Take UI. The injected script will execute, confirming the presence of the XSS vulnerability.

Remediation

Upgrade to Jakowenko Double-Take version 1.13.2, which includes a patch for this vulnerability. The updated version can be downloaded from the Double-Take GitHub releases page.