Miggo Logo

CVE-2021-32828: Nuxeo vulnerable to Reflected Cross-Site Scripting leading to Remote Code Execution

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.72735%
Published
1/6/2023
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.nuxeo.ecm.platform:nuxeo-platform-oauthmaven<= 10.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the OAuth2 callback handler where user-controlled input (serviceProviderName path parameter) is directly reflected in the HTTP response without sanitization. The advisory explicitly shows this endpoint returns unescaped user input in error messages ("No service provider called: [input]"), and the code review confirms unsafe string concatenation. This XSS vector is then leveraged to execute arbitrary automation API operations through crafted JavaScript payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Nux*o Pl*t*orm is *n op*n sour** *ont*nt m*n***m*nt pl*t*orm *or *uil*in* *usin*ss *ppli**tions. In v*rsion **.*.***, t** `o*ut**` R*ST *PI is vuln*r**l* to R**l**t** *ross-Sit* S*riptin* (XSS). T*is XSS **n ** *s**l*t** to R*mot* *o** *x**ution

Reasoning

T** vuln*r**ility o**urs in t** O*ut** **ll***k **n*l*r w**r* us*r-*ontroll** input (s*rvi**Provi**rN*m* p*t* p*r*m*t*r) is *ir**tly r**l**t** in t** *TTP r*spons* wit*out s*nitiz*tion. T** **visory *xpli*itly s*ows t*is *n*point r*turns un*s**p** us