Bugsink Stored Cross-Site Scripting Vulnerability via Pygments Fallback

A stored cross-site scripting vulnerability has been identified in Bugsink, a self-hosted error tracking tool, in versions prior to 2.0.13. The issue allows an unauthenticated attacker to inject arbitrary JavaScript into an event, which is executed only when an administrator views the affected stack trace in the web UI. This exploitation takes advantage of a quirk in the Pygments library that can occur with Ruby heredoc-style input, leading to the injection of unsanitized raw lines into the application. Since Bugsink's DSN endpoints are public by Sentry protocol, no account is needed to submit the malicious payload. Once injected, the JavaScript executes in the context of the administrator's browser, potentially leading to unauthorized actions within Bugsink.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's browser.

Reproduction

To reproduce this vulnerability, send a Sentry event to the Bugsink ingest endpoint for a specific project using a valid DSN. The event must include a crafted stack trace that takes advantage of the Pygments fallback quirk, such as by using Ruby heredoc-style input. Once the event is submitted, an administrator must explicitly view it in the Bugsink UI, at which point the injected JavaScript will execute.

Remediation

Users can update to Bugsink version 2.0.13 or later, where this vulnerability has been fixed.