Persistent XSS in markdown parser used by obs-server

Vulnerability

The open-build-service (OBS) is vulnerable to persistent XSS due to improper neutralization of input in the markdown parser. An attacker can inject arbitrary JavaScript code into markdown content, which is then stored and executed when other users view the affected page. Affected versions are those prior to commit 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb [1].

Exploitation

An attacker with the ability to submit markdown content (e.g., via comments, project descriptions) can embed malicious JavaScript. No authentication bypass is needed; any user allowed to post markdown can exploit it. The injected script executes in the context of the victim's session when they visit the page displaying the stored content [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the stored markdown. This can lead to session hijacking, data theft, or other actions performed on behalf of the victim, potentially compromising the OBS instance and its users [1].

Mitigation

The vulnerability is fixed in commit 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. Users should update their open-build-service installation to a version containing this commit. No workaround is documented [1].