Security flaw allowed attackers to gain a foothold into a victim’s network

Beego patches severe XSS vulnerability in open source web framework

Beego has patched a severe cross-site scripting (XSS) vulnerability that could lead to the compromise of a victim’s session or account.

Beego is an open source framework designed for building and developing applications in the Golang (Go) programming language, including RESTful APIs and backend systems.

The modular web framework includes features for code compilation, automated testing, and both the packing and deployment of Go builds. The Beego project is available on GitHub.

Read more of the latest open source software security news

Last month, application security researcher Omri Inbar, who is also a member of the Checkmarx team, disclosed the XSS vulnerability to Beego.

Tracked as CVE-2021-39391, the bug, of which a CVSS score is yet to be assigned, was found in the administration panel of Beego v2.0.1.

Speaking to The Daily Swig, Inbar said that when a user navigates to a page on a website managed by the framework, the request details – such as the requested URL and Method type – are then logged and stored on the ‘Request Statistics’ page in the administrator panel.

However, it was possible for attackers to try to navigate to a page that did not exist while including a payload – such as HTML tags or JavaScript – and, as there is a lack of sanitization, this would then be forwarded to the Request Statistics page and would run on the admin’s browser.

Blind XSS

This form of attack is known as a blind XSS (a variant of a stored XSS) because the potential victim needs to run a payload before the attacker knows whether or not the code has successfully been executed.

In this case, it could be that a threat actor would be able to hijack accounts by stealing session cookies, initiate activities based on the victim’s privilege level, and more.

Inbar reported the flaw on August 15. Beego acknowledged the bug a day later and committed a fix on the same day. The CVE was assigned on September 15.

Beego v2.0.2 contains a fix for the vulnerability.

YOU MAY ALSO LIKE VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access