Zrok Reflected Cross-Site Scripting Vulnerability in GitHub OAuth Callback
Vulnerability
A reflected cross-site scripting vulnerability has been identified in Zrok, a tool for sharing web services and network resources. This issue affects versions prior to 2.0.1. The vulnerability arises because the proxyUi template engine uses Go's text/template, which does not escape HTML, instead of html/template. In the GitHub OAuth callback handlers for both publicProxy and dynamicProxy, the attacker-controlled refreshInterval query parameter is embedded verbatim into an error message when time.ParseDuration fails. This error is then rendered unescaped into HTML. As a result, an attacker can send a crafted login URL to a victim. After the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the OAuth server's origin, potentially leading to unauthorized actions or data exposure within that context.
Remediation
Users can upgrade to Zrok version 2.0.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.