Nginx Proxy Manager CORS Misconfiguration Vulnerability Allowing Token Theft in Version 2.12.3

A CORS misconfiguration vulnerability has been identified in Nginx Proxy Manager version 2.12.3. This vulnerability allows unauthorized domains to access sensitive data, specifically JSON Web Tokens (JWT), due to inadequate validation of the Origin header. As a result, attackers can intercept tokens using a simple browser script and exfiltrate them to a remote server controlled by the attacker. This could lead to unauthorized actions within the application.

Impact

Exploitation of this vulnerability allows for the theft of authentication tokens, which can be used to impersonate users and gain unauthorized access to their accounts. This could result in unauthorized actions being performed within the application, potentially escalating to more severe consequences.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/tokens' endpoint with the 'Origin' header set to an unauthorized domain. The response will include the JWT token, indicating that the CORS misconfiguration can be exploited. This vulnerability can also be reproduced by hosting a malicious webpage that tricks users into visiting it, which will then steal their tokens and send them to the attacker's server.

Remediation

It is recommended to properly validate the Origin header to ensure that only trusted domains are allowed to access sensitive APIs. This is crucial for preventing unauthorized token theft and potential account takeover.