CVE-2019-25367

Vulnerability

Type The ArangoDB Community Edition 3.4.2-1 Aardvark web admin interface (accessible via /db/_system/_admin/aardvark/index.html) suffers from multiple cross-site scripting (XSS) vulnerabilities. The flaws exist in the search functionality, user management (parameter name), and API endpoints, affecting both reflected and stored XSS paths [2].

Attack

Vector An attacker can inject malicious scripts by crafting parameters in the URL, e.g., a DOM-based XSS via the search input field using payload "> on the views page [2]. Additionally, a reflected/stored XSS can be triggered by sending a PATCH request to the user API endpoint /_system/_api/user/root with a parameter name containing script code, which is then stored and executed in the admin interface [2]. The interface is intended for authenticated admin users, meaning the attacker would need to trick an authenticated admin into visiting a crafted link or submitting a specially crafted API call.

Impact

Successful exploitation allows attackers to execute arbitrary JavaScript within the context of the authenticated user's browser session. This can lead to theft of session cookies, UI modification, or further acciones against the ArangoDB instance within the admin's privileges.

Mitigation

No official patch appears to have been released by the vendor at the time of disclosure; users should restrict access to the Aardvark interface via network segmentation, enforce HTTPS, and implement Content Security Policy headers. The software is end-of-life (version 3.4.x and may no longer be supported by the vendor, so upgrading to a later version is recommended [1].