# CVE-2018-1000529
NVD CVE-2018-1000529:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000529
MITRE CVE-2018-1000529:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1000529
# Stored XSS in Grails Fields Plugin <=2.2.7
This repository was used to demonstrate a proof of concept of the vulnerability for the responsible disclosure to the [Grails team](https://objectcomputing.com/products/grails/).
The XSS vulnerability is present in all projects using Grails v3.3.5 and below, since they all include the affected Grails Fields plugin v2.2.7 and below.
It was fixed in the Grails Fields plugin v2.2.8, which is being used in Grails v3.3.6.
**All projects using Grails v3.3.5 or lower are recommended to upgrade to at least v3.3.6 or to define the version of the Grails Fields plugin dependency in `build.gradle` to be v2.2.8 or higher.**
Since the Grails Fields plugin is widely used in Grails Scaffolding, all scaffolded applications using Grails v3.3.5 and below are potentially vulnerable.
Even though Grails has [good XSS countermeasures](https://docs.grails.org/latest/guide/security.html#xssPrevention) in place by default, any domain objects being displayed by tags of the Grails Fields plugin containing HTML or JavaScript code are not being encoded or validated and are getting executed by the browser.
## Usage
Clone this project and then start the application locally by running:
### Windows
In a command prompt / powershell:
```
grailsw.bat run-app
```
### Mac / Linux
In a terminal window:
```
./grailsw run-app
```
### Running the PoC
When the Grails application is fully initialized, it will display:
```
Grails application running at http://localhost:8080 in environment: development
```
1. The URL should automatically open in the default browser, else open your browser and manually enter the URL.
2. Click on the link `myapp.TestController`
3. When the next page has loaded, a JavaScript alert dialog with the text `XSS` will open.
The domain object `Test1` is being created during initialization and is defined in the `grails-app/init/myapp/BootStrap.groovy` file.
The vulnerability is not only present when the object is being created during BootStrap, but also when being created in the scaffolded GUI by user input.
This can be tested by removing the `Test1` object and adding a new `Test` object containing the name: `Test1<script>alert('XSS');</script>`
## Timeline
- **22nd of May 2018**: Discovery and responsible disclosure of the vulnerability by [@martinfrancois](https://github.com/martinfrancois)
- **24th of May 2018**: Acknowledgement of the vulnerability and submission of [CVE request](https://docs.google.com/spreadsheets/d/1PlDOsZ4Q36JU4Dz9zyBB2F3814dScppCRCe1muCT7JI/edit#gid=404258366&range=A210)
- **24th of May 2018**: [Pull request](https://github.com/grails-fields-plugin/grails-fields/pull/277) with fix for the vulnerability for Grails v3.x merged into [grails-fields-plugin](https://github.com/grails-fields-plugin/grails-fields)
- **24th of May 2018**: [Release](https://github.com/grails-fields-plugin/grails-fields/releases/tag/v2.2.8) of Grails Fields Plugin v2.2.8 for Grails v3.x
- **25th of May 2018**: [Pull request](https://github.com/grails-fields-plugin/grails-fields/pull/279) with fix for the vulnerability for Grails v2.x merged into [grails-fields-plugin](https://github.com/grails-fields-plugin/grails-fields)
- **25th of May 2018**: [Release](https://github.com/grails-fields-plugin/grails-fields/commit/011f85e1c599577f88ad96156f6739397cb5c8fa) of Grails Fields Plugin v1.6 for Grails v2.x
- **15th of June 2018**: [Release](https://github.com/grails/grails-core/releases/tag/v3.3.6) of Grails v3.3.6, including the updated dependency of the fixed Grails Fields plugin v2.2.8
- **22nd of June 2018**: [CVE-2018-1000529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1000529) assigned
- **26th of June 2018**: [CVE-2018-1000529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1000529) published
Thanks a lot to the Grails team for quickly resolving this vulnerability, including:
- [@sdelamo](https://github.com/sdelamo)
- [@sbglasius](https://github.com/sbglasius)
- [@ilopmar](https://github.com/ilopmar)
[4.0K] /data/pocs/3c0d96dfb85567d7eeeb62ffabb1270b44bb225c
├── [2.8K] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 52K] gradle-wrapper.jar
│ └── [ 231] gradle-wrapper.properties
├── [ 71] gradle.properties
├── [4.9K] gradlew
├── [2.3K] gradlew.bat
├── [4.0K] grails-app
│ ├── [4.0K] assets
│ │ ├── [4.0K] images
│ │ │ ├── [3.0K] apple-touch-icon.png
│ │ │ ├── [6.9K] apple-touch-icon-retina.png
│ │ │ ├── [5.4K] favicon.ico
│ │ │ ├── [6.8K] grails-cupsonly-logo-white.svg
│ │ │ ├── [ 13K] grails.svg
│ │ │ ├── [4.0K] skin
│ │ │ │ ├── [ 658] database_add.png
│ │ │ │ ├── [ 659] database_delete.png
│ │ │ │ ├── [ 767] database_edit.png
│ │ │ │ ├── [ 755] database_save.png
│ │ │ │ ├── [ 726] database_table.png
│ │ │ │ ├── [ 701] exclamation.png
│ │ │ │ ├── [ 806] house.png
│ │ │ │ ├── [ 778] information.png
│ │ │ │ ├── [ 300] shadow.jpg
│ │ │ │ ├── [ 835] sorted_asc.gif
│ │ │ │ └── [ 834] sorted_desc.gif
│ │ │ └── [2.0K] spinner.gif
│ │ ├── [4.0K] javascripts
│ │ │ ├── [ 631] application.js
│ │ │ ├── [ 67K] bootstrap.js
│ │ │ └── [ 84K] jquery-2.2.0.min.js
│ │ └── [4.0K] stylesheets
│ │ ├── [ 477] application.css
│ │ ├── [143K] bootstrap.css
│ │ ├── [1.8K] errors.css
│ │ ├── [ 18K] grails.css
│ │ ├── [ 11K] main.css
│ │ └── [1.7K] mobile.css
│ ├── [4.0K] conf
│ │ ├── [3.3K] application.yml
│ │ ├── [1.3K] logback.groovy
│ │ └── [4.0K] spring
│ │ └── [ 47] resources.groovy
│ ├── [4.0K] controllers
│ │ └── [4.0K] myapp
│ │ ├── [2.5K] TestController.groovy
│ │ └── [ 298] UrlMappings.groovy
│ ├── [4.0K] domain
│ │ └── [4.0K] myapp
│ │ └── [ 82] Test.groovy
│ ├── [4.0K] i18n
│ │ ├── [3.3K] messages_cs.properties
│ │ ├── [3.3K] messages_da.properties
│ │ ├── [3.6K] messages_de.properties
│ │ ├── [3.4K] messages_es.properties
│ │ ├── [2.0K] messages_fr.properties
│ │ ├── [3.4K] messages_it.properties
│ │ ├── [3.8K] messages_ja.properties
│ │ ├── [3.2K] messages_nb.properties
│ │ ├── [3.3K] messages_nl.properties
│ │ ├── [3.6K] messages_pl.properties
│ │ ├── [3.2K] messages.properties
│ │ ├── [3.4K] messages_pt_BR.properties
│ │ ├── [2.7K] messages_pt_PT.properties
│ │ ├── [3.7K] messages_ru.properties
│ │ ├── [3.4K] messages_sk.properties
│ │ ├── [3.4K] messages_sv.properties
│ │ ├── [6.1K] messages_th.properties
│ │ └── [2.1K] messages_zh_CN.properties
│ ├── [4.0K] init
│ │ └── [4.0K] myapp
│ │ ├── [ 233] Application.groovy
│ │ └── [ 184] BootStrap.groovy
│ ├── [4.0K] services
│ │ └── [4.0K] myapp
│ │ └── [ 233] TestService.groovy
│ └── [4.0K] views
│ ├── [1.1K] error.gsp
│ ├── [3.6K] index.gsp
│ ├── [4.0K] layouts
│ │ └── [1.6K] main.gsp
│ ├── [ 375] notFound.gsp
│ └── [4.0K] test
│ ├── [1.8K] create.gsp
│ ├── [2.0K] edit.gsp
│ ├── [1.2K] index.gsp
│ └── [1.8K] show.gsp
├── [4.6K] grailsw
├── [2.2K] grailsw.bat
├── [5.3K] grails-wrapper.jar
├── [ 16K] prodDb.mv.db
├── [ 708] prodDb.trace.db
├── [4.1K] README.md
└── [4.0K] src
├── [4.0K] integration-test
│ ├── [4.0K] groovy
│ │ └── [4.0K] myapp
│ │ └── [1.7K] TestServiceSpec.groovy
│ └── [4.0K] resources
│ └── [ 735] GebConfig.groovy
└── [4.0K] test
└── [4.0K] groovy
└── [4.0K] myapp
├── [ 332] FormFieldsTagLibSpec.groovy
├── [ 341] TestControllerSpec.groovy
└── [ 302] TestSpec.groovy
30 directories, 78 files