GHSA-9RP6-23GF-4C3H

Vulnerability from github – Published: 2023-06-06 16:39 – Updated: 2023-06-06 18:50
VLAI?
Summary
syncthing vulnerable to Cross-site Scripting (XSS) in Web GUI
Details

Impact

  1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically.

  2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page.

Risk

As long as trusted devices are used, the risk is low. Additionally, the web GUI is not used that often in daily use which reduces the likelihood of exploitation.

Details

1. Field "Latest Change"

  • Open the web GUI at http://127.0.0.1:8384/.
  • Create/Delete a file named <img src=a onerror=alert(123)> and sync it to the other instance.
  • Move your mouse over the latest change to trigger the tooltip.

latest-change

Web browser source
<span tooltip="" data-original-title="\&quot;><img src=a onerror=alert(123)> @ 2022-11-30 16:58:43"
    aria-describedby="tooltip409527">
    <!-- ngIf: !folderStats[folder.id].lastFile.deleted --><span translate=""
        translate-value-file="&quot;><img src=a onerror=alert(123)>" ng-if="!folderStats[folder.id].lastFile.deleted"
        class="ng-scope">Updated "&gt;&lt;img src=a onerror=alert(123)&gt;</span>
    <!-- end ngIf: !folderStats[folder.id].lastFile.deleted -->
    <!-- ngIf: folderStats[folder.id].lastFile.deleted -->
</span>
<div class="tooltip fade top in" role="tooltip" id="tooltip409527"
    style="top: 446.033px; left: 318.3px; display: block;">
    <div class="tooltip-arrow" style="left: 50%;"></div>
    <div class="tooltip-inner">\"&gt;<img src="a" onerror="alert(123)"> @ 2022-11-30 16:58:43</div>
</div>
Corresponding code in the project

File gui/default/index.html:

<tr ng-if="folder.type != 'sendonly' && folder.type != 'receiveencrypted' && folderStats[folder.id].lastFile && folderStats[folder.id].lastFile.filename">
    <th><span class="fas fa-fw fa-exchange-alt"></span>&nbsp;<span translate>Latest Change</span></th>
    <td class="text-right">
        <span tooltip data-original-title="{{folderStats[folder.id].lastFile.filename}} @ {{folderStats[folder.id].lastFile.at | date:'yyyy-MM-dd HH:mm:ss'}}">
        <span translate translate-value-file="{{folderStats[folder.id].lastFile.filename | basename}}" ng-if="!folderStats[folder.id].lastFile.deleted">Updated {%file%}</span>
        <span translate translate-value-file="{{folderStats[folder.id].lastFile.filename | basename}}" ng-if="folderStats[folder.id].lastFile.deleted">Deleted {%file%}</span>
        </span>
    </td>
</tr>

File gui/default/syncthing/core/tooltipDirective.js: 

angular.module('syncthing.core')
    .directive('tooltip', function () {
        return {
            restrict: 'A',
            link: function (scope, element, attributes) {
                $(element).tooltip({
                    html: 'true'
                });
            }
        };
    });

The attribute html should not be set to true or input sanitized.

2. Field "Shared With"

  • Open the web GUI at http://127.0.0.1:8384/.
  • Create a device with the following name fedora 1"'><h1>Headline</h1><img src=x><script>alert(1)</script>.
  • Add the device to another instance and share a folder.
  • Move your mouse over the malicious device name to trigger the tooltip.

shared-with-1

Web browser source
<span tooltip="" data-original-title="fedora 1&quot;'><h1>Headline</h1><img src=x><script>alert(1)</script>  "
    ng-bind-html="sharesFolder(folder)" class="ng-binding" aria-describedby="tooltip348410">fedora 1"'&gt;<h1>Headline
    </h1><img src="x"></span>
<div class="tooltip fade top" role="tooltip" id="tooltip348410" style="top: 0px; left: 0px; display: block;">
    <div class="tooltip-arrow" style="left: 50%;"></div>
    <div class="tooltip-inner">fedora 1"'&gt;<h1>Headline</h1><img src="x">
        <script>alert(1)</script>
    </div>
</div>
Corresponding code in the project

File gui/default/index.html:

<tr>
    <th><span class="fas fa-fw fa-share-alt"></span>&nbsp;<span translate>Shared With</span></th>
    <td class="text-right">
        <span tooltip data-original-title="{{sharesFolder(folder)}} {{folderHasUnacceptedDevices(folder) ? '<br/>(<sup>1</sup>' + ('The remote device has not accepted sharing this folder.' | translate) + ')' : ''}} {{folderHasPausedDevices(folder) ? '<br/>(<sup>2</sup>' + ('The remote device has paused this folder.' | translate) + ')' : ''}}" ng-bind-html="sharesFolder(folder)"></span>
    </td>
</tr>

File gui/default/syncthing/core/tooltipDirective.js: 

angular.module('syncthing.core')
    .directive('tooltip', function () {
        return {
            restrict: 'A',
            link: function (scope, element, attributes) {
                $(element).tooltip({
                    html: 'true'
                });
            }
        };
    });

The attribute html should not be set to true or input sanitized.

HTML Injection in "Edit Folder"

shared-with-2

Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/syncthing/syncthing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T16:39:57Z",
    "nvd_published_at": "2023-06-06T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name.\nIf the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically.\n\n2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page.\n\n## Risk\n\nAs long as trusted devices are used, the risk is low.\nAdditionally, the web GUI is not used that often in daily use which reduces the likelihood of exploitation.\n\n## Details\n\n### 1. Field \"Latest Change\"\n\n* Open the web GUI at [http://127.0.0.1:8384/](http://127.0.0.1:8384/).\n* Create/Delete a file named ```\u003cimg src=a onerror=alert(123)\u003e``` and sync it to the other instance.\n* Move your mouse over the latest change to trigger the tooltip.\n\n\u003cimg width=\"834\" alt=\"latest-change\" src=\"https://user-images.githubusercontent.com/9484134/205084362-20a8ec13-a88d-469f-bdf1-e5291c20f4c1.png\"\u003e\n\n##### Web browser source\n```html\n\u003cspan tooltip=\"\" data-original-title=\"\\\u0026quot;\u003e\u003cimg src=a onerror=alert(123)\u003e @ 2022-11-30 16:58:43\"\n    aria-describedby=\"tooltip409527\"\u003e\n    \u003c!-- ngIf: !folderStats[folder.id].lastFile.deleted --\u003e\u003cspan translate=\"\"\n        translate-value-file=\"\u0026quot;\u003e\u003cimg src=a onerror=alert(123)\u003e\" ng-if=\"!folderStats[folder.id].lastFile.deleted\"\n        class=\"ng-scope\"\u003eUpdated \"\u0026gt;\u0026lt;img src=a onerror=alert(123)\u0026gt;\u003c/span\u003e\n    \u003c!-- end ngIf: !folderStats[folder.id].lastFile.deleted --\u003e\n    \u003c!-- ngIf: folderStats[folder.id].lastFile.deleted --\u003e\n\u003c/span\u003e\n\u003cdiv class=\"tooltip fade top in\" role=\"tooltip\" id=\"tooltip409527\"\n    style=\"top: 446.033px; left: 318.3px; display: block;\"\u003e\n    \u003cdiv class=\"tooltip-arrow\" style=\"left: 50%;\"\u003e\u003c/div\u003e\n    \u003cdiv class=\"tooltip-inner\"\u003e\\\"\u0026gt;\u003cimg src=\"a\" onerror=\"alert(123)\"\u003e @ 2022-11-30 16:58:43\u003c/div\u003e\n\u003c/div\u003e\n```\n\n##### Corresponding code in the project \n\nFile ````gui/default/index.html````:\n```html\n\u003ctr ng-if=\"folder.type != \u0027sendonly\u0027 \u0026\u0026 folder.type != \u0027receiveencrypted\u0027 \u0026\u0026 folderStats[folder.id].lastFile \u0026\u0026 folderStats[folder.id].lastFile.filename\"\u003e\n    \u003cth\u003e\u003cspan class=\"fas fa-fw fa-exchange-alt\"\u003e\u003c/span\u003e\u0026nbsp;\u003cspan translate\u003eLatest Change\u003c/span\u003e\u003c/th\u003e\n    \u003ctd class=\"text-right\"\u003e\n        \u003cspan tooltip data-original-title=\"{{folderStats[folder.id].lastFile.filename}} @ {{folderStats[folder.id].lastFile.at | date:\u0027yyyy-MM-dd HH:mm:ss\u0027}}\"\u003e\n        \u003cspan translate translate-value-file=\"{{folderStats[folder.id].lastFile.filename | basename}}\" ng-if=\"!folderStats[folder.id].lastFile.deleted\"\u003eUpdated {%file%}\u003c/span\u003e\n        \u003cspan translate translate-value-file=\"{{folderStats[folder.id].lastFile.filename | basename}}\" ng-if=\"folderStats[folder.id].lastFile.deleted\"\u003eDeleted {%file%}\u003c/span\u003e\n        \u003c/span\u003e\n    \u003c/td\u003e\n\u003c/tr\u003e\n```\n\nFile ````gui/default/syncthing/core/tooltipDirective.js````:  \n```javascript\nangular.module(\u0027syncthing.core\u0027)\n    .directive(\u0027tooltip\u0027, function () {\n        return {\n            restrict: \u0027A\u0027,\n            link: function (scope, element, attributes) {\n                $(element).tooltip({\n                    html: \u0027true\u0027\n                });\n            }\n        };\n    });\n```\n\nThe attribute ```html``` should not be set to ```true``` or input sanitized.\n\n### 2. Field \"Shared With\"\n\n* Open the web GUI at [http://127.0.0.1:8384/](http://127.0.0.1:8384/).\n* Create a device with the following name ```fedora 1\"\u0027\u003e\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=x\u003e\u003cscript\u003ealert(1)\u003c/script\u003e```.\n* Add the device to another instance and share a folder.\n* Move your mouse over the malicious device name to trigger the tooltip.\n \n\u003cimg width=\"608\" alt=\"shared-with-1\" src=\"https://user-images.githubusercontent.com/9484134/205084172-8cab2d0e-3257-46d5-be81-41fbd7228e0c.png\"\u003e\n\n\n##### Web browser source  \n\n```html\n\u003cspan tooltip=\"\" data-original-title=\"fedora 1\u0026quot;\u0027\u003e\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=x\u003e\u003cscript\u003ealert(1)\u003c/script\u003e  \"\n    ng-bind-html=\"sharesFolder(folder)\" class=\"ng-binding\" aria-describedby=\"tooltip348410\"\u003efedora 1\"\u0027\u0026gt;\u003ch1\u003eHeadline\n    \u003c/h1\u003e\u003cimg src=\"x\"\u003e\u003c/span\u003e\n\u003cdiv class=\"tooltip fade top\" role=\"tooltip\" id=\"tooltip348410\" style=\"top: 0px; left: 0px; display: block;\"\u003e\n    \u003cdiv class=\"tooltip-arrow\" style=\"left: 50%;\"\u003e\u003c/div\u003e\n    \u003cdiv class=\"tooltip-inner\"\u003efedora 1\"\u0027\u0026gt;\u003ch1\u003eHeadline\u003c/h1\u003e\u003cimg src=\"x\"\u003e\n        \u003cscript\u003ealert(1)\u003c/script\u003e\n    \u003c/div\u003e\n\u003c/div\u003e\n```\n\n##### Corresponding code in the project \n\nFile ````gui/default/index.html````:\n\n```html\n\u003ctr\u003e\n    \u003cth\u003e\u003cspan class=\"fas fa-fw fa-share-alt\"\u003e\u003c/span\u003e\u0026nbsp;\u003cspan translate\u003eShared With\u003c/span\u003e\u003c/th\u003e\n    \u003ctd class=\"text-right\"\u003e\n        \u003cspan tooltip data-original-title=\"{{sharesFolder(folder)}} {{folderHasUnacceptedDevices(folder) ? \u0027\u003cbr/\u003e(\u003csup\u003e1\u003c/sup\u003e\u0027 + (\u0027The remote device has not accepted sharing this folder.\u0027 | translate) + \u0027)\u0027 : \u0027\u0027}} {{folderHasPausedDevices(folder) ? \u0027\u003cbr/\u003e(\u003csup\u003e2\u003c/sup\u003e\u0027 + (\u0027The remote device has paused this folder.\u0027 | translate) + \u0027)\u0027 : \u0027\u0027}}\" ng-bind-html=\"sharesFolder(folder)\"\u003e\u003c/span\u003e\n    \u003c/td\u003e\n\u003c/tr\u003e\n```\n\nFile ````gui/default/syncthing/core/tooltipDirective.js````:  \n\n```javascript\nangular.module(\u0027syncthing.core\u0027)\n    .directive(\u0027tooltip\u0027, function () {\n        return {\n            restrict: \u0027A\u0027,\n            link: function (scope, element, attributes) {\n                $(element).tooltip({\n                    html: \u0027true\u0027\n                });\n            }\n        };\n    });\n```\n\nThe attribute ```html``` should not be set to ```true``` or input sanitized.\n\n##### HTML Injection in \"Edit Folder\"\n\n\u003cimg width=\"672\" alt=\"shared-with-2\" src=\"https://user-images.githubusercontent.com/9484134/205084067-b33f8536-e350-4de1-86f6-3d4a12a683c3.png\"\u003e\n",
  "id": "GHSA-9rp6-23gf-4c3h",
  "modified": "2023-06-06T18:50:28Z",
  "published": "2023-06-06T16:39:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/f5e5af391a6583047c64ef8c51642003a79b75cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/syncthing/syncthing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/releases/tag/v1.23.5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRYGBFJPVBW6PPTETNIBWQJE4HJSA5PJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEBWSQVGHSTR4ZO7LVVEMPEGMV2DS5XR"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "syncthing vulnerable to Cross-site Scripting (XSS) in Web GUI"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.