Zephyr Project Manager REST Call cross site scripting

Vulnerability

Zephyr Project Manager versions prior to 3.2.5 contain a stored cross-site scripting (XSS) vulnerability in the REST API endpoint /v1/tasks/create/. The plugin does not properly sanitize or escape the onanimationstart argument, allowing injection of arbitrary JavaScript. The vulnerability is classified as problematic and can be triggered without authentication because all REST endpoints lack proper authorization checks, even when the "Require Authorisation for REST API Requests" setting is enabled [1].

Exploitation

An unauthenticated attacker can send a crafted HTTP request directly to the /v1/tasks/create/ endpoint with a malicious payload in the onanimationstart parameter. Since no authentication or CSRF token is required, the attack can be performed remotely with no user interaction beyond the target administrator later viewing the affected task, which triggers the stored script [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of a logged-in administrator who views the compromised task. This could lead to theft of session cookies, administrative actions performed on behalf of the admin, or defacement. The scope of impact is information disclosure and privilege escalation within the WordPress context, as the admin-level session can be hijacked [1].

Mitigation

Upgrade to Zephyr Project Manager version 3.2.5, which fixes the missing authorization and adds proper input sanitization. The fix was released on or before 2022-08-29 [1]. No workaround is available; applying the update is the recommended action. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV).