Nozomi Networks Guardian and CMC Angular Template Injection Vulnerability in Reports Functionality

A vulnerability allowing Angular template injection has been identified in the Reports feature of Nozomi Networks Guardian and CMC versions prior to 26.1.0. This issue arises from inadequate validation of input parameters, enabling an authenticated user with report privileges to create a malicious report that includes an Angular template payload. Alternatively, a victim could be manipulated into importing a harmful report template. Once the report is viewed or imported, the Angular template executes in the user's browser, potentially allowing the attacker to alter application data or disrupt the application's availability. However, the current input validation and Content Security Policy settings prevent complete exploitation of this vulnerability through cross-site scripting and direct information disclosure.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of application data or disruption of application availability. While the existing input validation and Content Security Policy configuration mitigate full cross-site scripting exploitation and direct information disclosure, the vulnerability still poses a risk by allowing Angular templates to be executed in the context of the victim's browser.

Remediation

Users are advised to upgrade to Nozomi Networks Guardian or CMC version 26.1.0 or later.