OpenWGA Cross-Site Scripting Vulnerability in Admin UI

A stored cross-site scripting vulnerability has been identified in OpenWGA version 7.11.12 Build 737. This issue arises from the Admin UI component, where untrusted input is persistently saved in various fields without proper output encoding. As a result, when this data is later displayed in the Admin UI, it executes stored JavaScript in the browser of the user viewing the content. This vulnerability can be exploited remotely by an attacker with low privileges, potentially leading to session hijacking or account takeover of administrators.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary scripts in the context of the affected user's browser session. In this case, it could lead to session theft or account takeover of administrators who view the impacted pages.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and navigate to an Admin Client form that allows the entry of labels or descriptions. Save a field with a benign payload, such as an image tag with an error event handler. Then, log in as an administrator and access a page that displays the stored value. The injected script will execute when the page renders the content.

Remediation

Apply context-specific encoding when rendering user-controlled values, sanitize dangerous markup in rich text fields, and consider deploying a strict Content Security Policy to mitigate the risk of exploitation.