CVE-2021-38138

Vulnerability

OneNav beta 0.9.12 contains a stored cross-site scripting (XSS) vulnerability in the Add Link feature. The application does not sanitize user input when adding a link, allowing arbitrary JavaScript to be injected. This affects version 0.9.12 and potentially earlier versions. [1]

Exploitation

An attacker with the ability to add links (requires a user account with link creation privileges) can inject malicious HTML or JavaScript into the link name or URL fields. If the link is displayed to other users, the payload executes in their browsers. No special network position is required beyond normal application access. [1]

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in session hijacking, data theft, or further attacks against the application. The vendor notes that the risk is largely limited to compromised accounts, but XSS can propagate to other users who view the malicious link. [1]

Mitigation

No official patch or fix has been released as of the publication date. The vendor plans to add XSS protection in a future release. Users may consider disabling the Add Link feature or implementing a web application firewall (WAF) rule to block XSS payloads. The latest release at the time of writing is version 1.2.4 [2], but it is unclear if XSS protection has been added. It is recommended to update to the latest version and test for XSS protection. [2]