Summary
Portainer 2.16.0 and above are affected by a self-XSS vulnerability in the updateUser function of the UserController controller. The function does not sanitize the oldUsername or username variables passed to the message argument.
Severity
Low - The function does not sanitize variables passed to the message argument creating a xss.
Proof of Concept
Steps to reproduce:
- Authenticate to Portainer as an administrative user
- Create a user. The name can optionally contain an XSS payload such as <script>alert(1)</script>.
- Go to the Users page and click on the username. The resulting page will have a form for changing the username. In that pane, input the new username containing a payload (if the existing name contains a payload, this is optional. If both the former and new username contain payloads, both will be executed).
- Press “Save” and the payload(s) will be executed. The following screenshot shows a username change (whose original username was <script>alert(4)</script> and modified username was asdf<script>alert(4)</script>) after the “Save” button was pressed. The payload is triggered.
Timeline
Date reported: 3/20/2023
Date fixed: 4/18/2023
Date disclosed: 6/20/2023
ajohnston9 Finder
Summary
Portainer 2.16.0 and above are affected by a self-XSS vulnerability in the updateUser function of the UserController controller. The function does not sanitize the oldUsername or username variables passed to the message argument.
Severity
Low - The function does not sanitize variables passed to the message argument creating a xss.
Proof of Concept
Steps to reproduce:
Timeline
Date reported: 3/20/2023
Date fixed: 4/18/2023
Date disclosed: 6/20/2023