Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) flaw that allows injection and execution of arbitrary JavaScript in the campaign content rendering functionality. This can lead to session hijacking, unauthorized actions, phishing, and credential harvesting.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to user data, compromise of personal information, and failure to protect data confidentiality and integrity.

Specifically, GDPR requires appropriate technical measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Similarly, HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

Since this vulnerability allows remote exploitation and can affect multiple users, it poses a risk to meeting these regulatory requirements unless properly mitigated.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Mettle SendPortal application, specifically in the campaign content rendering functionality.

An attacker can inject arbitrary JavaScript code into the content field of a campaign. This malicious script is then rendered without proper sanitization using Laravel Blade's raw rendering directive `{!! $content !!}`.

When the campaign preview page or the public webview link is accessed, the injected JavaScript executes immediately, even without authentication.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability includes the potential for session hijacking, unauthorized actions performed via the victim's session, and phishing or credential harvesting attacks.

Because the malicious script executes in the context of the victim's browser, attackers can steal sensitive information or perform actions on behalf of the user.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the SendPortal application is rendering campaign content using the Laravel Blade directive `{!! $content !!}` without proper sanitization. Specifically, the vulnerable file is `vendor/mettle/sendportal-core/resources/views/webview/show.blade.php`.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the `/webview/{hash}` endpoint for suspicious payloads containing JavaScript code such as `<script>alert("XSS")</script>` or other script tags.

Example commands to detect potential exploitation attempts include:

• Using grep to search web server logs for suspicious script tags: `grep -i '<script>' /var/log/nginx/access.log` or `grep -i '<script>' /var/log/apache2/access.log`
• Using curl to test the vulnerable endpoint with a payload: `curl -X POST -d 'content=<script>alert(1)</script>' https://your-sendportal-domain/webview/{hash}` (replace `{hash}` with an actual campaign hash)
• Review the source code or deployment to verify if the `{!! $content !!}` directive is used without sanitization in the mentioned file.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing user input before rendering or storing it to prevent execution of malicious JavaScript.

Specifically, it is recommended to use a sanitization tool such as Mews\Purifier\Facades\Purifier to clean the content field.

Additionally, avoid using the raw rendering directive `{!! $content !!}` in Laravel Blade templates. Instead, use the escaped rendering directive `{{ $content }}` to prevent unescaped HTML or script execution.

Since the project has not yet responded with a patch, these code changes or input sanitization should be applied as a temporary fix.

Also, monitor and restrict access to the `/webview/{hash}` endpoint if possible, and educate users about the risk of injecting untrusted content.

Useful 0 Not Useful 0