CVE-2023-52430

The caddy-security plugin version 1.1.20 for the Caddy web server contains a reflected cross-site scripting (XSS) vulnerability [1][3]. An attacker can inject arbitrary JavaScript by submitting a GET request to a URL that includes an XSS payload and begins with either /admin or /settings/mfa/delete/. The vulnerability stems from insufficient sanitization of user input reflected in the response [2].

Exploitation

Attackers can exploit this by tricking a victim into clicking a crafted link or by embedding the malicious URL in an iframe. No authentication is required to trigger the reflection, as the vulnerability exists in the URL handling logic. The attack surface includes any application using the vulnerable plugin version where users can be directed to such URLs [1].

Impact

Successful exploitation leads to full XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser context. This can result in session hijacking, credential theft, defacement, or other client-side attacks that compromise user data and integrity of the application [1][3].

Mitigation

The vulnerability is fixed in a later version of the plugin. Users should upgrade to the latest release immediately. No workaround is available. The issue was reported by Trail of Bits and documented in the project's issue tracker [1][2].