Emissary Mustache Template Navigation Link Injection Vulnerability Allowing Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in Emissary versions prior to 8.39.0. The issue arises because Mustache navigation templates directly interpolated configuration-controlled link values into href attributes without validating the URL scheme. This flaw allowed administrators to inject javascript: URIs, which could then be executed by other authenticated users viewing the Emissary web interface.

Impact

Exploitation of this vulnerability could lead to session hijacking through cookie theft, allowing actions to be performed on behalf of the victim user.

Reproduction

To reproduce this vulnerability, an administrator must modify the 'navItems' configuration to include a link with a 'javascript:' URI. Once this link is saved, any authenticated user who clicks on it will execute the injected script in their browser, such as an alert displaying their cookies.

Remediation

This vulnerability has been fixed in Emissary version 8.39.0. If an immediate upgrade is not possible, it is recommended to audit the navigation configuration to ensure all 'navItems' link values use only 'http://', 'https://', or relative ('/') URL schemes.