CVE-2020-12261

Vulnerability

Open-AudIT 3.3.0 contains a reflected cross-site scripting (XSS) vulnerability in the default error templates of the CodeIgniter framework. The application fails to sanitize user-supplied input when generating error messages, allowing an authenticated attacker to inject arbitrary JavaScript code. The affected components are the default error templates located at /code_igniter/application/errors/ [1][2].

Exploitation

An attacker must be authenticated to Open-AudIT. The proof-of-concept (PoC) demonstrates that after login, the attacker navigates to /open-audit/index.php/search/ and appends a malicious payload such as `` to the URL. When the server processes the crafted request, the injected script is reflected and executed in the victim's browser [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the session of the authenticated user. This can lead to session hijacking, credential theft, or defacement of the application interface. The attack scope is limited to the privileges of the victim user within Open-AudIT [1][2].

Mitigation

The vulnerability is fixed in Open-AudIT version 3.3.1, released in April 2020. The fix applies htmlentities encoding to all default error templates to prevent reflection of malicious input. Users running 3.3.0 should upgrade immediately. If immediate upgrade is not possible, administrators can manually apply the fix by updating the four error template files from the project's GitHub repository [1][2].