Cross-Site Scripting in Migration Planner UI App

Compliance Impact

This vulnerability allows an attacker to execute malicious JavaScript code within a user's browser session by exploiting a stored cross-site scripting (XSS) flaw. This can lead to compromise of the victim's Red Hat Single Sign-On (SSO) session, enabling unauthorized cross-tenant data access and API actions.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on unauthorized access to personal and sensitive data.

By enabling persistent compromise within an organization and unauthorized data access, this vulnerability increases the risk of data breaches and non-compliance with regulatory requirements related to data confidentiality and integrity.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) flaw in the migration-planner-ui-app component of Red Hat's migration planner.

An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. This URL is rendered in the user interface without proper validation, allowing the embedded malicious code to execute when an organizational user clicks the link.

The malicious script executes within the user's browser session under the http://console.redhat.com origin, potentially compromising the victim's Red Hat Single Sign-On (SSO) session.

This can lead to unauthorized cross-tenant data access and API actions, resulting in persistent compromise within the organization.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker to execute malicious JavaScript in the context of a victim's browser session.

This can compromise the victim's Red Hat Single Sign-On (SSO) session, enabling the attacker to perform unauthorized actions such as accessing data across different tenants and invoking APIs as the victim.

Such unauthorized access can lead to data breaches, loss of confidentiality, and potential disruption of services within the affected organization.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if any registered discovery agent in the migration-planner-ui-app has a credentialUrl containing a malicious or non-standard URL scheme such as "javascript:".

Since the vulnerability involves stored cross-site scripting via the credentialUrl field, detection involves inspecting the data stored for discovery agents and monitoring user interactions with these URLs in the UI.

Commands or methods to detect this might include querying the database or API for discovery agents with credentialUrl fields starting with "javascript:" or other suspicious schemes.

• Use database queries or API calls to list discovery agents and filter for credentialUrl values starting with "javascript:" or other non-http/https schemes.
• Monitor web application logs or browser console logs for script execution errors or suspicious activity triggered by clicking credentialUrl links.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the patch that introduces the safeExternalUrl() helper function to validate and restrict credentialUrl values to only allow http: and https: protocols.

This validation prevents malicious javascript: URLs from being rendered and executed in the user interface.

Additionally, review and sanitize existing discovery agent entries to remove or correct any credentialUrl values with unsafe schemes.

• Apply the patch (f101.patch) or update to the fixed version of migration-planner-ui-app that includes the safeExternalUrl() validation.
• Audit and clean existing credentialUrl entries to remove malicious URLs.
• Educate users to avoid clicking suspicious links until the fix is applied.

Useful 0 Not Useful 0