Proxmox Virtual Environment Stored Cross-Site Scripting Vulnerability in WebAuthn Relying Party Field

A stored cross-site scripting vulnerability has been identified in Proxmox Virtual Environment (PVE) version 8.4. This vulnerability resides in the WebAuthn Relying Party field within the Datacenter configuration. Authenticated users can inject JavaScript that is executed in the browsers of users who view the configuration page, potentially leading to client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected configuration page.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the Datacenter → WebAuthn Settings. Inject a script payload, such as a JavaScript alert, into the Relying Party field and save the changes. After logging out or switching accounts, the injected script will execute when the same settings page is accessed.

Remediation

Users can upgrade to Proxmox Virtual Environment 9.0.5 or 8.4.11, both of which include the necessary fix.