User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.
User inputs have to be controlled and sanitized before being used by the application.
CVE ID: CVE-2020-17364
Access Vector: Network
Security Risk: High
CVSS Base Score: 7.4
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
$ svn checkout http://127.0.0.1:8090/svn/a --username mickael $ cd a/trunk $ echo "<html><body><script>alert(document.cookie)</script>" > xss.html $ svn add xss.html $ svn commit -m "adding xss.html"
Moreover, as the session cookie has not been protected by the
httpOnly flag, the attacker can use this stored XSS to steal the user session cookie to later impersonate him.
- USVN versions < 1.0.8
- Update to USVN >= 1.0.9
- Update to commit : a2c315a75a518ba57d385dc3a56866541ec06faf (https://github.com/usvn/usvn/pull/59/commits/a2c315a75a518ba57d385dc3a56866541ec06faf)
- 2020-05-07 Initial discovery.
- 2020-05-13 Report to the USVN security team
- 2020-05-18 USVN acknowledgement stating that the report is under review.
- 2020-05-18 XSS fix published (http://www.usvn.info/2020/05/20/usvn-1.0.9).
- 2020-08-12 Disclosure.
- Mickael Karatekin, Sysdream (m.karatekin-at-sysdream-dot-com)