vCluster Platform Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting vulnerability has been identified in vCluster Platform versions prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0. This vulnerability allows for the execution of arbitrary external scripts within the platform's browser context, potentially leading to privilege escalation. In the worst-case scenario, a malicious user could create a new Global-Admin user, bypassing other security restrictions. The vulnerability affects authenticated users with the ability to create namespaces.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to unauthorized actions being performed on behalf of the user, especially if they have elevated privileges, such as creating a Global-Admin user.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to create namespaces can inject a script by exploiting the name field of a template reference. This is done by including a payload that references an external script in a specific format. Once the namespace is created, the injected script will execute when another user interacts with the namespace icon, effectively performing a cross-site scripting attack.

Remediation

Users are advised to upgrade to vCluster Platform versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0.