CVE-2024-6585

Root

Cause Lightdash version 0.1024.6 contains multiple stored cross-site scripting (XSS) vulnerabilities in its markdown dashboard tiles and dashboard comment functionality. The applications did not adequately sanitize user-supplied HTML in the content field of markdown tiles and the textHtml field of comments. As a result, an authenticated attacker could inject arbitrary HTML/JavaScript, including ` elements with javascript:` URIs [1][2][4].

Exploitation

An attacker with permission to create or edit dashboards can send a crafted PATCH /api/v1/dashboards/ request with a malicious payload in the content parameter of a markdown tile. For comment-based XSS, the attacker posts a comment containing unsanitized HTML. No additional privileges or user interaction beyond viewing the dashboard or reading the comment is required. The payload is stored on the server and executed in the browser of any user who loads the affected page [4].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, request forgery, data exfiltration, and account takeover, as the attacker can impersonate the victim and access any data the victim can view [4].

Mitigation

The vendor addressed these vulnerabilities in commits included in pull requests #9359 and #9510. The fixes implement server-side and client-side HTML sanitization for comments and markdown tiles, respectively, using a restrictive allowlist of tags and attributes. Users should upgrade to a patched version (e.g., 0.1025.0 or later) to remediate the issue [1][2][3].