Rucio Stored Cross-Site Scripting Vulnerability in WebUI RSE Metadata
Vulnerability
A stored cross-site scripting vulnerability has been identified in the RSE metadata of Rucio WebUI, affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. This vulnerability allows attacker-controlled input to be persisted by the backend and later rendered in the WebUI without proper output encoding. As a result, arbitrary JavaScript can be executed in the context of the WebUI for users who view the affected pages, potentially leading to session token theft or unauthorized actions.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the WebUI, which can result in session token theft or unauthorized actions on behalf of the user.
Reproduction
To reproduce this vulnerability, an authenticated user can navigate to the RSE Management dashboard and add an RSE with XSS payloads in the metadata fields such as City, Country_Name, and ISP. Once the RSE is saved, the injected scripts will be executed when the RSE is viewed in the management interface.
Remediation
Users can update to Rucio versions 35.8.3, 38.5.4, or 39.3.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.