Executive Summary

This vulnerability affects ArangoDB Community Edition 3.4.2-1 and involves multiple cross-site scripting (XSS) issues in the Aardvark web admin interface. Attackers can inject malicious JavaScript code through various input parameters such as search fields, user management, and API parameters. These scripts execute in the browsers of authenticated users when they interact with the affected web interface.

• DOM-Based XSS in search inputs allowing script injection via URL parameters.
• Reflected and stored XSS vulnerabilities in user name fields via PATCH requests.
• Stored XSS through query deletion operations.
• Reflected and stored XSS on user creation parameters.
• DOM-Based XSS in user and database search inputs.

These vulnerabilities arise due to insufficient input sanitization and improper handling of user-supplied data, enabling attackers to execute arbitrary JavaScript code within the web application context.

Useful 0 Not Useful 0

Impact Analysis

The impact of these XSS vulnerabilities includes the potential for attackers to execute arbitrary JavaScript code in the browsers of authenticated users. This can lead to several malicious outcomes such as:

• Session hijacking, allowing attackers to steal user sessions and impersonate legitimate users.
• Unauthorized actions performed on behalf of the user within the ArangoDB web interface.
• The injection and execution of malicious scripts that could compromise user data or system integrity.

Overall, these vulnerabilities can undermine the security of the database administration interface and potentially lead to broader system compromise if exploited.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the ArangoDB web admin interface (Aardvark) for cross-site scripting (XSS) issues by injecting typical XSS payloads into various input fields and API parameters.'}, {'type': 'list_item', 'content': 'Inject the payload "><script>alert(1)</script> into the search input field at URL: http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#views and observe if the script executes.'}, {'type': 'list_item', 'content': 'Send a PATCH request to the API endpoint /_db/_system/_api/user/root with the parameter \'name\' set to "><script>alert(2)</script> to check for reflected and stored XSS.'}, {'type': 'list_item', 'content': 'Test stored XSS by performing query deletion operations via GET requests to /_db/_system/_api/user/root and observe if injected scripts execute.'}, {'type': 'list_item', 'content': 'Attempt to add a user via POST to /_db/_system/_api/user with parameters \'user\' and \'name\' containing payloads like "><script>alert(3)</script> or "><script>alert(4)</script> to detect stored/reflected XSS.'}, {'type': 'list_item', 'content': 'Inject "><script>alert(5)</script> into the user management search input at http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users to test for DOM-based XSS.'}, {'type': 'list_item', 'content': 'Inject "><script>alert(6)</script> into the database search input at http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#databases to test for DOM-based XSS.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

I don't know

Useful 0 Not Useful 0