Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue found in the immich application on the /auth/login page. It occurs because the continue query parameter is taken directly from the URL and passed to SvelteKit's redirect() function without validating the scheme or origin.

An attacker can craft a malicious link containing JavaScript code in the continue parameter. When an authenticated user clicks this link, the attacker's JavaScript runs within the immich application's origin.

The malicious script then uses the victim's active session to generate an API key with all permissions on the victim's account, resulting in a persistent account takeover.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of any authenticated user's account with just a single click on a malicious link.

An attacker can execute arbitrary JavaScript in the context of the immich application, allowing them to mint an all-permission API key on the victim's account.

This results in persistent account takeover, meaning the attacker can maintain long-term unauthorized access and control over the victim's data and actions within immich.

Given the high CVSS score of 9.6, the impact includes full confidentiality, integrity, and availability compromise of the affected accounts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update immich to include the fix introduced in commit 4eb1003, which disallows cross origin and non-HTTP protocols for the continueUrl parameter on the login page.

This fix prevents attacker-controlled JavaScript from executing inside Immich's origin by validating the scheme and origin of the continue query parameter, thereby stopping the reflected XSS attack and preventing account takeover.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to fully compromise any authenticated user's account via a reflected cross-site scripting (XSS) attack, leading to persistent account takeover.

Such a compromise could result in unauthorized access to personal or sensitive data managed by the application, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding user data and preventing unauthorized access.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory consequences.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a reflected cross-site scripting (XSS) attack on the /auth/login page via the continue query parameter. Detection can focus on monitoring HTTP requests to the /auth/login endpoint for suspicious or malicious payloads in the continue parameter.

One approach is to inspect web server logs or use network monitoring tools to identify requests containing JavaScript code or unusual URL-encoded characters in the continue parameter.

• Use grep or similar tools to search for suspicious patterns in access logs, for example:
• grep -i 'continue=' /var/log/nginx/access.log | grep -E '%3Cscript%3E|<script>'
• Use curl or wget to test the /auth/login endpoint with crafted payloads to see if the response reflects the input without proper sanitization.
• Example curl command to test for reflected XSS:
• curl -i 'http://your-immich-domain/auth/login?continue=%3Cscript%3Ealert(1)%3C/script%3E'

If the response contains the injected script tag without encoding or sanitization, the vulnerability is present.

Useful 0 Not Useful 0