LinkAce Stored Cross-Site Scripting Vulnerability in Audit Page

A stored cross-site scripting vulnerability has been identified in LinkAce versions prior to 2.3.1, specifically on the /system/audit page. The issue arises because the application does not properly sanitize the username field before it is displayed in the audit log. An authenticated attacker can exploit this by injecting a malicious JavaScript payload into their username. When the user performs an action that is logged, such as generating an API token, the payload is saved in the database and executed in the browser of anyone who views the audit page, particularly administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the audit page. This could lead to session hijacking, account takeover, phishing, data exfiltration, or website defacement.

Reproduction

To reproduce this vulnerability, log into LinkAce as a standard user and navigate to the profile or account settings page to change the username. Enter a JavaScript payload, such as a script tag including JavaScript code, and save the changes. Then, perform an action that triggers a log entry, such as generating an API token. Finally, log in as an administrator and go to the audit log page to see the executed script, confirming the XSS vulnerability.

Remediation

Users can update to LinkAce version 2.3.1 or later, where this vulnerability has been patched.