Security Vulnerability - Stored Cross Site Scripting
Closed this issue · 4 comments
Summary
WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker's file, and the result will render on the Matched page in the Body area, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized.
Tested Versions
3.2.0.0
3.1.0.0
3.0.4.0
POC
Recommendations
Follow the offical Wiremock documentation to prevent proxying to unintended locations.
Update to the latest release of Wiremock with GUI.
References
CVE-2023-50069
https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses
CVSS
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
Hi,
Thx for mentioning that. Do you see a need to backport a fix for that, because as you mentioned, this is already fixed in the latest versions.
I'm not overly filmier with the changes between the versions. If there is a need for a user to stay on versions 3.2.0.0, 3.1.0.0 or 3.0.4.0 then I think going back and resolving the issue would be worth it. If not, I would recommend for users to upgrade to the latest.
I will test the effort with 3.2.0.0. I think it it's not much, but yeah I often thought that in the past. We will see. I will post an update here when I have more insights.
Backported a fix for:
- 3.0.4.0
- 3.1.0.0
- 3.2.0.0
I added a small section in the Readme, which will mention this to encourage users to update.