countly-server vulnerable to Cross-site Scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Countly Community Edition versions before 21.11. The bug is located in the password reset page template (frontend/express/views/reset.html), where the showMessage function receives user-controlled message and password_min query parameters without proper escaping of backslashes [1][3]. While template engines typically perform HTML-escaping, they do not escape backslashes, allowing an attacker to break out of the JavaScript string literal [4].

Exploitation

To exploit this vulnerability, an attacker must have a valid account on the target Countly instance or be able to create one. The victim must click a specially crafted malicious link or be redirected to it from a malicious website. The attacker supplies a message parameter containing a single backslash (\) and a password_min parameter containing a crafted payload such as , alert(1)); //. This causes the server to generate JavaScript code that, when executed in the victim's browser, runs the attacker's injected script [4].

Impact

Successful exploitation results in arbitrary client-side code execution in the context of the Countly application domain. The attacker can perform any action the victim can, including accessing or modifying data, initiating actions, and stealing session tokens. The scope is limited to the victim's browser; no server-side compromise occurs [4].

Mitigation

The vulnerability is patched in Countly Community Edition version 21.11, released on 2021-11-10 [2][4]. All users should upgrade to version 21.11 or later. No workarounds are available. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of this writing.