CVE-2016-1566

Vulnerability

Guacamole versions 0.9.8 and 0.9.9 contain a stored cross-site scripting (XSS) vulnerability in the file browser component. When file transfer is enabled to a location shared by multiple users, filenames containing HTML are not properly sanitized, allowing arbitrary web script or HTML to be injected [1]. The vulnerability exists in guacamole.war and was fixed on 2016-01-13 without a version number change [1].

Exploitation

An authenticated user with the ability to upload or create files in a shared location can craft a filename containing malicious HTML or JavaScript. When another user browses to that file in the Guacamole menu, the script executes in the context of the victim's session [1]. The attacker must have file transfer enabled to the shared location and the filesystem must allow angle brackets in filenames [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the browser of any user who views the maliciously-named file. The script runs with the same privileges as the compromised Guacamole user, potentially leading to session hijacking, data theft, or further actions within the Guacamole interface [1].

Mitigation

The vulnerability was patched in the guacamole.war files for versions 0.9.8 and 0.9.9 on January 13, 2016. Administrators should download the updated guacamole-0.9.8.war or guacamole-0.9.9.war from the official source [1]. No workaround is provided; updating the WAR file is the recommended action. The advisory notes that only guacamole.war needs to be updated [1].