JATOS Reflected Cross-Site Scripting Vulnerability
Vulnerability
A reflected cross-site scripting vulnerability has been identified in JATOS (Just Another Tool for Online Studies) versions 3.7.1 through 3.9.6. The issue arises in the '/publix/run' endpoint, where the 'code' URL parameter is not properly sanitized. This flaw allows remote attackers to inject malicious JavaScript that is executed in the context of the user's browser. When an authenticated admin user clicks on a crafted study link, the injected script runs, potentially leading to unauthorized actions, account compromise, and privilege escalation.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, with the potential for account takeover of an admin user.
Reproduction
To reproduce this vulnerability, an authenticated admin user must be persuaded to click on a study link that has been crafted to include a malicious payload in the 'code' parameter. Once the link is clicked, the injected JavaScript will execute in the user's browser.
Remediation
This vulnerability has been patched in JATOS version 3.9.7.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.