Cronicle Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Cronicle versions prior to 0.9.111. This issue allows non-admin users with create_events and run_events privileges to inject arbitrary JavaScript into job output fields. The injected scripts are stored on the server without proper sanitization and are executed in the client's browser when the Job Details page is viewed. The vulnerability arises because the application uses innerHTML to render the job output, which does not escape HTML content, leaving it open to script injection.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the Job Details page. This could lead to session cookie theft, unauthorized account creation, and execution of arbitrary commands on the server, potentially with elevated privileges.

Reproduction

To reproduce this vulnerability, create a non-admin user with event privileges. Log in as this user and create an event that includes a script payload in the job's HTML output fields. Once the event is created, run it and then view the job details as an admin user. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to Cronicle version 0.9.111 or later, where this vulnerability has been fixed.