We are writing to inform you of a recently discovered security issue in the CFEngine Enterprise web UI, Mission Portal. The issue has been fixed in the recently released 3.21.6 and 3.24.1 versions. Prior versions (3.24.0, 3.21.5, and below) are affected. We have no indications of this issue being exploited or known outside of the company. The issue was discovered thanks to the vulnerability scanning software Acunetix by Invicti.
Description
On the affected versions, some fields lack input validation, allowing an authenticated user with administrator-level privileges to enter javascript into input text fields, which will be evaluated by other users of the system who open up the same form. In addition to fixing this specific issue of confirmed XSS, we also added much more strict input validation to many other fields in Mission Portal, to prevent similar issues, even though we were not able to find something exploitable in those cases.
Impact
The impact of this issue is quite limited, the issue exists inside of settings, in a form that a normal (low privilege) user can neither edit nor open. So in the recommended setup where most users use lower-privileged roles, this issue can only be used to perform cross-site scripting between 2 administrator accounts, and it requires the victim to perform a quite specific action.
Remediation
To remediate the issue, please upgrade to CFEngine Enterprise 3.21.6, 3.24.1, or later versions. We recommend upgrading as soon as possible not just to fix this specific issue, but also to benefit from the other bugfixes and security improvements we put into every new release. Alternately, you can mitigate the risk of this vulnerability by following a principle of least privilege approach, ensuring that only a few users have administrator access to settings, user management, etc. while other users only have access to what they need (for example reports, CMDB, dashboards, etc.).
Contact
For help with upgrading or additional questions, please contact support at:
