Full Report
Modern JS frameworks like react, Angular and Vue safeguard against XSS. If you want to include input as HTML, there are mechanisms to do this but are dangerous. Vue.js uses the mustache template syntax to do this. Additionally, adding the v-html attribute can done as well. In Firefly III, they spotted an issue where a web request response was using the unsafe HTML rendering. At first, it's not a response controlled by the attacks. However, a web request was using user input for an ID to make a request. Hence, path traversal was possible but only on the client side. The author got somewhat lucky here - they found a field with the same key that was being reflected with data from the request. Hence, the traversal led to XSS. The page had a good CSP preventing big attacks. Since this is supposed to be raw HTML, they couldn't just remove the tag. First, the ID is parsed as an INT. Next, no dynamic data is returned. Overall, a good find and an interesting use case for client side path traversal.
Analysis Summary
# Vulnerability: XSS via Client-Side Path Traversal and Sanitization Bypass in Firefly III
## CVE Details
- **CVE ID**: CVE-2024-22075
- **CVSS Score**: Not explicitly provided in the text (typically High for XSS leading to session theft)
- **CWE**: CWE-79 (Cross-site Scripting), CWE-35 (Path Traversal)
## Affected Systems
- **Products**: Firefly III (Personal finance manager)
- **Versions**: Versions prior to v6.1.1
- **Configurations**: Instances where the application uses Vue.js and renders API error responses using the `v-html` directive.
## Vulnerability Description
The vulnerability arises from a combination of two flaws:
1. **Sanitization Bypass**: The application uses the Vue.js `v-html` directive to render the `error_message` variable. This directive bypasses Vue's automatic HTML escaping, rendering content as raw HTML.
2. **Client-Side Path Traversal (CSPT)**: The application fetches data from an API endpoint by appending a user-controlled ID from the URL (e.g., `window.location.href`). An attacker can use path traversal sequences (e.g., `..%2f`) in the URL to redirect the API request to a different endpoint.
When the application makes a request to a traversed endpoint that returns an error, the attacker can influence the error message. In this case, the attacker targets an endpoint where a reflected input is returned in a JSON error response. This reflected input is then assigned to `error_message` and rendered unsafely via `v-html`, resulting in Cross-Site Scripting (XSS).
## Exploitation
- **Status**: PoC discovered and verified by researchers.
- **Complexity**: Medium (Requires finding a secondary endpoint that reflects input in a JSON error key).
- **Attack Vector**: Network (Remote via malicious URL).
## Impact
- **Confidentiality**: High (Can result in the theft of session cookies or sensitive financial data).
- **Integrity**: High (Allows unauthorized actions on behalf of the user).
- **Availability**: Low (Can lead to account lockout or UI defacement).
## Remediation
### Patches
- **Version v6.1.1**: The maintainers released a patch that implements several fixes:
- Inputs for IDs are now strictly parsed as integers.
- API error responses were modified to return static messages rather than reflecting dynamic input.
- Replaced unsafe rendering where possible.
### Workarounds
- **Input Validation**: Ensure all client-side inputs used for URL construction are sanitized/validated.
- **Client-Side Sanitization**: Use libraries like **DOMPurify** to sanitize any string before passing it to `v-html`.
- **Content Security Policy (CSP)**: Implement a strict CSP to prevent the execution of inline scripts and unauthorized external scripts.
## Detection
- **Indicators of Compromise**: Presence of path traversal characters (`..%2f`, `%2e%2e%2f`) in URLs followed by API-related paths.
- **Detection Methods**:
- Static Analysis (SAST): Scan code for instances of `v-html`, `dangerouslySetInnerHTML`, or `.innerHTML` linked to values fetched from APIs.
- Dynamic Analysis (DAST): Test URL parameters for path traversal that alters the intended API call.
## References
- Vendor Advisory: hxxps://github[.]com/firefly-iii/firefly-iii/
- Original Research: hxxps://www[.]sonarsource[.]com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/