OpenNebula Cross-Site Scripting Vulnerability in Custom Authenticator Driver
Vulnerability
A stored cross-site scripting vulnerability has been identified in OpenNebula version 6.10.0.1, specifically within the custom authenticator driver. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload. The issue arises in the OpenNebula Sunstone component, and it affects all versions prior to 7.0.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, inject a payload such as an image tag with an 'onerror' event into the custom authenticator driver. This can be done by crafting a payload that includes arbitrary web scripts or HTML, and then delivering it through a method that the application will process as a script, such as a form submission or an API request that accepts HTML content.
Remediation
Users are advised to upgrade to OpenNebula version 7.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.