Bruno IDE Cross-Site Scripting Vulnerability in Tooltip Component

A cross-site scripting vulnerability has been identified in the Bruno IDE, prior to version 1.39.1. The issue arises in the custom tooltip components that use react-tooltip, which were improperly handling content by injecting raw HTML into the DOM on hover. This flaw, coupled with lenient Content Security Policy restrictions, enabled the execution of inline scripts contained in valid HTML text. The vulnerability is exploitable only when users import collections from untrusted sources, requiring them to hover over the environment name in the collection.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the potential for remote code execution on the user's system.

Reproduction

To reproduce this vulnerability, download a malicious Bruno or Postman collection export from an untrusted source. Import the collection into the Bruno IDE version 1.38.0 or later, but prior to 1.39.1. Once the collection is loaded, navigate to the 'Collection Environments' or 'Global Environments' section and hover over the environment name. The injected script will execute, taking advantage of the cross-site scripting vulnerability.

Remediation

Users should update to Bruno version 1.39.1 or later, which addresses this vulnerability by correcting how tooltips handle content and strengthening the Content Security Policy.