Stored XSS & File Upload vulnerabilities found in Cervantes

Stored XSS & File Upload vulnerabilities found in Cervantes

Cervantes version Alpha 0.5 and below were found to be vulnerable to Stored XSS at multiple places, in addition to being vulnerable to Insecure File Uploads that could be used for HTML Injection attacks.

CVE-2024-42054
CVE-2024-42055

Summary

Cervantes is a great open-source, collaborative platform designed specifically for penetration testers and red teams, which serves as a comprehensive management tool, streamlining the organization of projects, clients, vulnerabilities, and reports in a single, centralized location.

During our testing, we were able to fine that the Alpha 0.5 version of the application contains multiple Cross-Site Scripting (XSS) vulnerabilities and an Insecure File Upload vulnerability, which results in HTML Injection.


NOTE: As part of our responsible disclosure practices, we communicated all details of the vulnerability to the product owner in June 2023. Since then, a fix to the reporting findings were added to the code in the GitHub repository. However, a release has not been yet created.

Timeline

  • Vulnerability reported to the Cervantes team – June 06, 2023
  • Fix released to the code – Feb 03, 2024

Recommendation

  1. While an official release is not yet available, we found that fixes were added to the application’s main branch of the GitHub repository. As such, users can build the image from the latest changes in the repository and use it in docker-compose. 
  2. Keep an eye on updates from the app’s developers regarding any patches or security updates.

Reference

Written by
Jinson Varghese
Join the discussion