CVE-2021-44916

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Open-AudIT Community versions 4.2.0 and earlier [1][2]. The flaw is in the create_url function within /code_igniter/application/helpers/output_helper.php [3]. The function constructs a URL by directly concatenating $_SERVER['HTTP_HOST'] and $_SERVER['PHP_SELF'] with user-supplied query parameters without sanitization, allowing arbitrary JavaScript to be injected [3].

Exploitation

An attacker can craft a malicious URL containing JavaScript code as a query parameter value [2]. When a logged-in user clicks on the crafted link (e.g., via phishing, social engineering, or embedding on a third-party site), the malicious script executes in the user's browser within the Open-AudIT session context [2]. No special network position or authentication level is required beyond the victim being authenticated.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to potential session hijacking, theft of credentials, defacement, or further actions within the Open-AudIT instance as the victim user [1][2]. The compromise occurs at the user's privilege level.

Mitigation

The fix was released in Open-AudIT Community version 4.3.0, which modifies the create_url function to use a relative path ('?') instead of incorporating user-controlled HTTP_HOST and PHP_SELF values [1][3]. As a workaround for unpatched versions, administrators can manually replace the output_helper.php file with the patched version available from the Opmantek advisory or GitHub commit [2].