Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact
Researchers have released details on a trio of cross-site scripting (XSS) vulnerabilities in popular open source apps that could lead to remote code execution (RCE).
The security bugs, found by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.
Web security researcher Aleksey Solovev told The Daily Swig that this research, detailed in PT Swarm’s blog, relates to how “the combination of the discovered possibility of conducting an XSS attack and the built-in file manager (or executing a SQL query) in the administrator panel can lead to a complete compromise of the system”.
The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to carry out a reflected XSS attack in several places in the admin panel.
“The consequence would be a complete compromise of the system by overwriting the executable file using the built-in file manager.”
A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out a stored XSS attack in the name of the attached file in private messages.
“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” said Solovev.
Finally, in GitBucket v4.37.1, a security bug was discovered that could enable an attacker to carry out a stored XSS attack in “several places”, according to Solovev.
“In the admin panel, it was possible to execute SQL code based on the H2 Database Engine, for which there is already an exploit that allows you to execute a command on the server,” Solovev explained.
“Putting everything together, an attacker could attack the administrator and gain the ability to execute commands on the server.”
All three vulnerabilities are pending a CVE but have been patched by the maintainers of the projects, Solovev told The Daily Swig.
The researcher added that the main difficulty in discovering these flaws was to find the possibility of conducting an XSS attack.
“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.
More information about the vulnerabilities and technical detail on the exploit can be found in PT Swarm’s blog.