Sickrage Reflective Cross-site Scripting (XSS) Vulnerability

Solutionary ID: SERT-VDN-1018

Risk Rating: Medium

CVE ID: Pending

Product: Sickrage

Application Vendor: Sickrage

Vendor URL: https://github.com/SiCKRAGETV

Date discovered: 10/29/2015

Discovered by: Jacob Faires and Solutionary Engineering Research Team (SERT)

Vendor notification date: 12/08/2015

Vendor response date: No Response

Vendor acknowledgment date: No Response

Public disclosure date: 03/01/2016

Type of vulnerability: Cross-Site Scripting (XSS) - Reflected

Exploit Vectors: Local and Remote

Vulnerability Description: The applications web interface contains an injection point, which allows for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the web application. The following parameters and web pages have been tested and verified; however, it is possible additional views and parameters within the application may be vulnerable: Reflected XSS /config/postProcessing/savePostProcessing /config/providers/saveProviders /config/search/saveSearch /config/subtitles/saveSubtitles /home/addShows/newShow/ /home/postprocess/processEpisode

Tested on: Sickrage commit a58ca53 hosted on Arch Linux fully updated as of 03/01/2016

Affected software versions: Commit a58ca53

Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naive users to execute the malicious code.

Fixed in: Not Fixed

Remediation guidelines: Restrict access to internal network segments and monitor vendor notifications for application updates that may address and fix the issues identified.