Rallly DOM-Based Cross-Site Scripting Vulnerability in Reset Password Component

A DOM-based cross-site scripting (XSS) vulnerability has been identified in the Rallly application, specifically in versions prior to 4.7.4. The issue arises in the reset password functionality, where the application fails to properly validate the 'redirectTo' URL parameter. This oversight allows attackers to craft malicious links that, when clicked by users, execute arbitrary JavaScript in the context of the user's browser. Such exploitation could lead to credential theft or unauthorized access to internal network resources.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute scripts in the context of the victim's browser. This could be used to steal credentials or pivot to other systems on the same network.

Reproduction

To reproduce this vulnerability, an attacker must first obtain a reset token by initiating a password reset request. They can then craft a URL that includes the token and a 'redirectTo' parameter containing a JavaScript payload, such as 'javascript:alert(window.origin)'. When a user clicks this link and enters a new password, the JavaScript payload will be executed in their browser.

Remediation

Users are advised to upgrade to Rallly version 4.8.0, which addresses this vulnerability.