Mist Community Edition Cross-Site Scripting Vulnerability in Tag Resources Function

A stored cross-site scripting vulnerability has been identified in Mist Community Edition versions through 4.7.1. The issue arises in the tag_resources function within the file src/mist/api/tag/views.py. This vulnerability allows authenticated attackers to inject persistent JavaScript payloads into tag fields across various resource types, including Machines, Volumes, Zones, Images, Keys, and Scripts. The injected scripts are executed automatically when the affected resources are viewed in the web interface. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the resource. This can lead to session hijacking, user impersonation, and potentially privilege escalation.

Reproduction

To reproduce this vulnerability, add a tag with a malicious JavaScript payload, such as an iframe tag containing a JavaScript URL, to any resource in Mist Community Edition prior to 4.7.2. After saving the tag, navigate to the resource listing page where the tag is displayed. The injected script will execute automatically. This vulnerability can be combined with CSRF attacks for further exploitation.

Remediation

Users are advised to upgrade to Mist Community Edition version 4.7.2, where this vulnerability has been fixed.