Tarkov Data Manager Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Tarkov Data Manager's toast notification system, prior to January 2, 2025. This vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim's browser session by crafting a malicious URL. The issue arises because the application decodes hex-encoded input and directly interpolates it into a JavaScript context without proper sanitization, enabling the execution of harmful scripts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking or theft of sensitive data displayed on authenticated pages.

Reproduction

To reproduce this vulnerability, send a request to the Tarkov Data Manager with a hex-encoded toast query parameter. The server will decode the parameter and execute the embedded JavaScript. For example, a payload could be crafted to alert the document domain, demonstrating the execution of JavaScript in the victim's browser.

Remediation

User input should be sanitized before being inserted into JavaScript contexts. Consider using a library like DOMPurify for this purpose.