CVE-2020-9299

Vulnerability

Multiple stored cross-site scripting (XSS) vulnerabilities exist in Netflix's open-source Dispatch application, affecting the name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. An authenticated user can inject arbitrary JavaScript into these fields, which will be executed when other users view the affected data. The vulnerability is present in all versions prior to the v20201106 release [1].

Exploitation

An attacker must be an authenticated user with access to create or edit the vulnerable entities (Incident Priority, Incident Type, Tag Type, or Incident Filter). The attacker injects malicious script code into either the name or description field via the application's web interface. When other users load a page that renders this unsanitized input, the script executes in their browser context [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of other users' browsers within the Dispatch application. This can lead to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The impact is partially reduced if Dispatch is deployed in an internal environment with only trusted users, as the attacker would require a legitimate account [1].

Mitigation

The vulnerability is fixed in Dispatch release v20201106, published on 2020-11-06 [2]. Users should update to this version or later. As a general hardening measure, Netflix has published production deployment guidelines for Dispatch operators [1]. No workaround is mentioned for unpatched versions; organizations unable to update should restrict access to the application to trusted users only.