Jexactyl Game Management Panel Stored DOM Cross-Site Scripting Vulnerability

A stored DOM cross-site scripting vulnerability has been identified in the Jexactyl game management panel and billing system, specifically in the 'canary' version prior to the patch commit. The issue arises from the injection of unescaped server-side objects into client-side JavaScript via a Blade template. This vulnerability allows attacker-controlled content, such as usernames or site configuration values, to be executed as arbitrary scripts in the browser for any user viewing the page.

Impact

Exploitation of this vulnerability allows for stored DOM-based cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could lead to account compromise, session theft, or cross-site request forgery (CSRF) attacks.

Reproduction

To reproduce this vulnerability, update a user-controlled field, such as a display name, to include a script payload. After logging in as that user and loading a page that references the injected data, the script can be observed executing in the browser.

Remediation

The vulnerability has been patched in the 'canary' version. Users should update to the latest version.