Alteryx Server Cross-Site Scripting Vulnerability in Notifications

A stored cross-site scripting vulnerability has been identified in Alteryx Server version 2023.1.1.460. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into the notification body. The injected scripts are executed in the context of the user's browser when the notification is viewed, potentially leading to account compromise or data extortion.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, with the possibility of performing actions on behalf of the user, including administrators, and accessing or modifying information available in the impacted user session.

Reproduction

To reproduce this vulnerability, navigate to the Notifications page and edit a notification. Inject a payload containing JavaScript, such as a link using the JavaScript: URL scheme, into the notification body. Ensure the payload is not escaped or encoded before submitting the notification. Once the notification is saved, the injected script will execute when the notification is viewed.

Remediation

To mitigate this vulnerability, implement output encoding for all user-controllable data, sanitize HTML input if necessary, apply Content Security Policy headers, and validate or reject suspicious input before storing it in the database.