Proxmox Virtual Environment Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Proxmox Virtual Environment (PVE) version 8.4. This vulnerability resides in the HTTP Proxy field within the Datacenter configuration panel. It allows authenticated users to inject malicious scripts that are stored and executed in the context of other users' browsers when they access the affected configuration page. This could lead to the execution of arbitrary JavaScript, potentially allowing for session hijacking or further exploitation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected configuration page.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the Datacenter → HTTP Proxy or WebAuthn Settings. Inject a script payload, such as a script tag containing JavaScript code, into the vulnerable field. Save the changes, then log out or switch to another account with GUI access. When the same settings page is visited, the injected script will execute in the browser context.

Remediation

Users can update to Proxmox Virtual Environment 9.0.5 or 8.4.11, both of which include the necessary fix.