ExpressGateway Express-Gateway Cross-Site Scripting Vulnerability in REST API Endpoints

A stored cross-site scripting (XSS) vulnerability has been identified in ExpressGateway's express-gateway version 1.16.10 and prior. The issue resides within the REST API endpoints for user and application management. The vulnerability arises because user input is transmitted to service layer functions without proper validation or sanitization. This flaw allows attackers to inject malicious JavaScript into fields such as 'firstname' or 'name'. Once injected, the script is executed when the data is displayed in the web interface, potentially leading to session hijacking, unauthorized actions, data theft, or complete account compromise.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user's browser. This could result in session hijacking, theft of sensitive information, and unauthorized actions performed on behalf of the user. If an administrator's account is compromised, the attacker could gain elevated privileges, manipulate application data, or possibly compromise the entire system.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/users' endpoint with a payload that includes a malicious script in the 'firstname' field. This injected script will be executed when the user data is rendered on the page. Similarly, the '/apps' endpoint can be exploited by injecting a script into the 'name' field of an application.

Remediation

Although the repository is no longer actively maintained, it is recommended to implement input validation and sanitization, apply proper output encoding, use security libraries for HTML sanitization, and conduct regular security reviews and testing.