Northern.tech CFEngine Enterprise Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Northern.tech CFEngine Enterprise versions 3.24.3 prior to 3.24.4 and 3.27.0 prior to 3.27.1. The issue arises in the Mission Portal due to an incorrect content-type HTTP header in some API endpoints. This flaw allows low-privilege users to inject malicious JavaScript that could be executed by an admin user, potentially leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability could allow an authenticated low-privilege user to execute malicious JavaScript in the context of an admin user, potentially escalating their privileges and gaining control over the hub and its managed infrastructure.

Remediation

Users are advised to upgrade to CFEngine Enterprise versions 3.24.4, 3.27.1, or later. For upgrade instructions, please refer to the CFEngine documentation.