Mercurial SCM Web Interface Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Mercurial SCM web interface, specifically in version 4.5.3. The issue arises from improper sanitization of user-controlled input in the 'cmd' parameter, allowing attackers to inject malicious scripts that are executed in the context of the user's browser. This vulnerability can be exploited remotely, without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed immediately in the victim's browser.

Reproduction

To reproduce this vulnerability, inject CRLF characters into the 'cmd' parameter of the Mercurial web interface. This can be done by sending a request that includes the CRLF injection payload, which will be processed as part of the HTTP headers. The lack of proper input sanitization allows the injection to bypass normal content filtering, leading to the execution of arbitrary JavaScript in the user's browser.

Remediation

Users are advised to upgrade to Mercurial version 6.9.4, which addresses this vulnerability.