ghsa-9rp6-23gf-4c3h
Vulnerability from github
Published
2023-06-06 16:39
Modified
2023-06-06 18:50
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
syncthing vulnerable to Cross-site Scripting (XSS) in Web GUI
Details

Impact

  1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically.

  2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page.

Risk

As long as trusted devices are used, the risk is low. Additionally, the web GUI is not used that often in daily use which reduces the likelihood of exploitation.

Details

1. Field "Latest Change"

  • Open the web GUI at http://127.0.0.1:8384/.
  • Create/Delete a file named <img src=a onerror=alert(123)> and sync it to the other instance.
  • Move your mouse over the latest change to trigger the tooltip.

latest-change

Web browser source

```html

\"> @ 2022-11-30 16:58:43

```

Corresponding code in the project

File gui/default/index.html: ```html

 Latest Change Updated {%file%} Deleted {%file%}

```

File gui/default/syncthing/core/tooltipDirective.js:
javascript angular.module('syncthing.core') .directive('tooltip', function () { return { restrict: 'A', link: function (scope, element, attributes) { $(element).tooltip({ html: 'true' }); } }; });

The attribute html should not be set to true or input sanitized.

2. Field "Shared With"

  • Open the web GUI at http://127.0.0.1:8384/.
  • Create a device with the following name fedora 1"'><h1>Headline</h1><img src=x><script>alert(1)</script>.
  • Add the device to another instance and share a folder.
  • Move your mouse over the malicious device name to trigger the tooltip.

shared-with-1

Web browser source

```html Headline

fedora 1"'>

Headline

alert(1)

```

Corresponding code in the project

File gui/default/index.html:

```html

 Shared With

```

File gui/default/syncthing/core/tooltipDirective.js:

javascript angular.module('syncthing.core') .directive('tooltip', function () { return { restrict: 'A', link: function (scope, element, attributes) { $(element).tooltip({ html: 'true' }); } }; });

The attribute html should not be set to true or input sanitized.

HTML Injection in "Edit Folder"

shared-with-2

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/syncthing/syncthing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T16:39:57Z",
    "nvd_published_at": "2023-06-06T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name.\nIf the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically.\n\n2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page.\n\n## Risk\n\nAs long as trusted devices are used, the risk is low.\nAdditionally, the web GUI is not used that often in daily use which reduces the likelihood of exploitation.\n\n## Details\n\n### 1. Field \"Latest Change\"\n\n* Open the web GUI at [http://127.0.0.1:8384/](http://127.0.0.1:8384/).\n* Create/Delete a file named ```\u003cimg src=a onerror=alert(123)\u003e``` and sync it to the other instance.\n* Move your mouse over the latest change to trigger the tooltip.\n\n\u003cimg width=\"834\" alt=\"latest-change\" src=\"https://user-images.githubusercontent.com/9484134/205084362-20a8ec13-a88d-469f-bdf1-e5291c20f4c1.png\"\u003e\n\n##### Web browser source\n```html\n\u003cspan tooltip=\"\" data-original-title=\"\\\u0026quot;\u003e\u003cimg src=a onerror=alert(123)\u003e @ 2022-11-30 16:58:43\"\n    aria-describedby=\"tooltip409527\"\u003e\n    \u003c!-- ngIf: !folderStats[folder.id].lastFile.deleted --\u003e\u003cspan translate=\"\"\n        translate-value-file=\"\u0026quot;\u003e\u003cimg src=a onerror=alert(123)\u003e\" ng-if=\"!folderStats[folder.id].lastFile.deleted\"\n        class=\"ng-scope\"\u003eUpdated \"\u0026gt;\u0026lt;img src=a onerror=alert(123)\u0026gt;\u003c/span\u003e\n    \u003c!-- end ngIf: !folderStats[folder.id].lastFile.deleted --\u003e\n    \u003c!-- ngIf: folderStats[folder.id].lastFile.deleted --\u003e\n\u003c/span\u003e\n\u003cdiv class=\"tooltip fade top in\" role=\"tooltip\" id=\"tooltip409527\"\n    style=\"top: 446.033px; left: 318.3px; display: block;\"\u003e\n    \u003cdiv class=\"tooltip-arrow\" style=\"left: 50%;\"\u003e\u003c/div\u003e\n    \u003cdiv class=\"tooltip-inner\"\u003e\\\"\u0026gt;\u003cimg src=\"a\" onerror=\"alert(123)\"\u003e @ 2022-11-30 16:58:43\u003c/div\u003e\n\u003c/div\u003e\n```\n\n##### Corresponding code in the project \n\nFile ````gui/default/index.html````:\n```html\n\u003ctr ng-if=\"folder.type != \u0027sendonly\u0027 \u0026\u0026 folder.type != \u0027receiveencrypted\u0027 \u0026\u0026 folderStats[folder.id].lastFile \u0026\u0026 folderStats[folder.id].lastFile.filename\"\u003e\n    \u003cth\u003e\u003cspan class=\"fas fa-fw fa-exchange-alt\"\u003e\u003c/span\u003e\u0026nbsp;\u003cspan translate\u003eLatest Change\u003c/span\u003e\u003c/th\u003e\n    \u003ctd class=\"text-right\"\u003e\n        \u003cspan tooltip data-original-title=\"{{folderStats[folder.id].lastFile.filename}} @ {{folderStats[folder.id].lastFile.at | date:\u0027yyyy-MM-dd HH:mm:ss\u0027}}\"\u003e\n        \u003cspan translate translate-value-file=\"{{folderStats[folder.id].lastFile.filename | basename}}\" ng-if=\"!folderStats[folder.id].lastFile.deleted\"\u003eUpdated {%file%}\u003c/span\u003e\n        \u003cspan translate translate-value-file=\"{{folderStats[folder.id].lastFile.filename | basename}}\" ng-if=\"folderStats[folder.id].lastFile.deleted\"\u003eDeleted {%file%}\u003c/span\u003e\n        \u003c/span\u003e\n    \u003c/td\u003e\n\u003c/tr\u003e\n```\n\nFile ````gui/default/syncthing/core/tooltipDirective.js````:  \n```javascript\nangular.module(\u0027syncthing.core\u0027)\n    .directive(\u0027tooltip\u0027, function () {\n        return {\n            restrict: \u0027A\u0027,\n            link: function (scope, element, attributes) {\n                $(element).tooltip({\n                    html: \u0027true\u0027\n                });\n            }\n        };\n    });\n```\n\nThe attribute ```html``` should not be set to ```true``` or input sanitized.\n\n### 2. Field \"Shared With\"\n\n* Open the web GUI at [http://127.0.0.1:8384/](http://127.0.0.1:8384/).\n* Create a device with the following name ```fedora 1\"\u0027\u003e\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=x\u003e\u003cscript\u003ealert(1)\u003c/script\u003e```.\n* Add the device to another instance and share a folder.\n* Move your mouse over the malicious device name to trigger the tooltip.\n \n\u003cimg width=\"608\" alt=\"shared-with-1\" src=\"https://user-images.githubusercontent.com/9484134/205084172-8cab2d0e-3257-46d5-be81-41fbd7228e0c.png\"\u003e\n\n\n##### Web browser source  \n\n```html\n\u003cspan tooltip=\"\" data-original-title=\"fedora 1\u0026quot;\u0027\u003e\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=x\u003e\u003cscript\u003ealert(1)\u003c/script\u003e  \"\n    ng-bind-html=\"sharesFolder(folder)\" class=\"ng-binding\" aria-describedby=\"tooltip348410\"\u003efedora 1\"\u0027\u0026gt;\u003ch1\u003eHeadline\n    \u003c/h1\u003e\u003cimg src=\"x\"\u003e\u003c/span\u003e\n\u003cdiv class=\"tooltip fade top\" role=\"tooltip\" id=\"tooltip348410\" style=\"top: 0px; left: 0px; display: block;\"\u003e\n    \u003cdiv class=\"tooltip-arrow\" style=\"left: 50%;\"\u003e\u003c/div\u003e\n    \u003cdiv class=\"tooltip-inner\"\u003efedora 1\"\u0027\u0026gt;\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=\"x\"\u003e\n        \u003cscript\u003ealert(1)\u003c/script\u003e\n    \u003c/div\u003e\n\u003c/div\u003e\n```\n\n##### Corresponding code in the project \n\nFile ````gui/default/index.html````:\n\n```html\n\u003ctr\u003e\n    \u003cth\u003e\u003cspan class=\"fas fa-fw fa-share-alt\"\u003e\u003c/span\u003e\u0026nbsp;\u003cspan translate\u003eShared With\u003c/span\u003e\u003c/th\u003e\n    \u003ctd class=\"text-right\"\u003e\n        \u003cspan tooltip data-original-title=\"{{sharesFolder(folder)}} {{folderHasUnacceptedDevices(folder) ? \u0027\u003cbr/\u003e(\u003csup\u003e1\u003c/sup\u003e\u0027 + (\u0027The remote device has not accepted sharing this folder.\u0027 | translate) + \u0027)\u0027 : \u0027\u0027}} {{folderHasPausedDevices(folder) ? \u0027\u003cbr/\u003e(\u003csup\u003e2\u003c/sup\u003e\u0027 + (\u0027The remote device has paused this folder.\u0027 | translate) + \u0027)\u0027 : \u0027\u0027}}\" ng-bind-html=\"sharesFolder(folder)\"\u003e\u003c/span\u003e\n    \u003c/td\u003e\n\u003c/tr\u003e\n```\n\nFile ````gui/default/syncthing/core/tooltipDirective.js````:  \n\n```javascript\nangular.module(\u0027syncthing.core\u0027)\n    .directive(\u0027tooltip\u0027, function () {\n        return {\n            restrict: \u0027A\u0027,\n            link: function (scope, element, attributes) {\n                $(element).tooltip({\n                    html: \u0027true\u0027\n                });\n            }\n        };\n    });\n```\n\nThe attribute ```html``` should not be set to ```true``` or input sanitized.\n\n##### HTML Injection in \"Edit Folder\"\n\n\u003cimg width=\"672\" alt=\"shared-with-2\" src=\"https://user-images.githubusercontent.com/9484134/205084067-b33f8536-e350-4de1-86f6-3d4a12a683c3.png\"\u003e\n",
  "id": "GHSA-9rp6-23gf-4c3h",
  "modified": "2023-06-06T18:50:28Z",
  "published": "2023-06-06T16:39:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/f5e5af391a6583047c64ef8c51642003a79b75cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/syncthing/syncthing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/releases/tag/v1.23.5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRYGBFJPVBW6PPTETNIBWQJE4HJSA5PJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEBWSQVGHSTR4ZO7LVVEMPEGMV2DS5XR"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "syncthing vulnerable to Cross-site Scripting (XSS) in Web GUI"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.