CVE-2023-41165

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the login disclaimer feature of Stormshield Network Security (SNS) firewall appliances. An administrator with write access can configure a login disclaimer containing malicious JavaScript, which will then be interpreted by the login page. The vulnerability affects SNS versions 3.7.0 through 3.7.38, 3.10.0 through 3.11.26, 4.0 through 4.3.21, and 4.4.0 through 4.6.8 [1].

Exploitation

An attacker must have administrative write access to the SNS firewall (privilege level: high). The attacker then modifies the login disclaimer field to include JavaScript code. When any user (including administrators or other authenticated users) visits the login page, the injected JavaScript executes in the context of the victim's browser. No additional user interaction is required beyond accessing the login page. The attack is local (requires network access to the management interface) but remote exploitation is possible if the management interface is exposed [1].

Impact

Successful exploitation allows the attacker to steal sensitive data from the victim's session. The JavaScript can exfiltrate cookies, session tokens, or other information accessible through the browser's DOM on the login page. The vulnerability has a CVSS v3.1 base score of 2.0 (low severity) with a Confidentiality impact of Low, and no Integrity or Availability impact [1].

Mitigation

The vendor released fixed versions: SNS 3.7.39, 3.11.27, 4.3.22, and 4.6.9 [1]. Administrators should upgrade to the latest fixed version. As a workaround, if no login disclaimer is configured, the SNS remains unaffected; if a disclaimer must be used, ensure it does not contain any JavaScript code [1].