Proxmox Virtual Environment Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Proxmox Virtual Environment (PVE) version 8.4. This vulnerability allows authenticated users to inject malicious scripts into the U2F Origin field within the Datacenter configuration. The injected scripts are not properly sanitized, enabling them to be executed in the Web UI context of other users who view the same settings. This could lead to session hijacking or other malicious activities.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to session hijacking or further exploitation.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the Datacenter configuration. Access the U2F Settings and enter a script payload, such as a script tag containing JavaScript code, into the Origin field. Save the changes, then log out or switch to another account with GUI access. When the same settings page is visited, the injected script will execute in the browser.

Remediation

Users can upgrade to Proxmox Virtual Environment 9.0.5 or 8.4.11, both of which include the necessary fix.