Summary
Vision Space reported the template injection vulnerability was identified in the F' GDS Dashboard tab. his tab is
used so that users can create, save, and load their custom dashboard UI. However, this
input is directly inserted into a Vue template with no other parsing.
Vision Space has also documented this vulnerability as:
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Details
Crafting a layout file that includes and executes a malicious script at loading time is possible. A layout file with a javascript payload that will sent a cmdDisp.CMD_NO_OP_STRING command, with “Sent command from layout” as an argument. Once loaded, no further user interaction (other than the loading of the file) was required. The the layout file is for the demonstration was limited to 1Mb, which is enough to mimic any user interaction from the page and modify the behaviour of the entire UI to hide malicious actions in the background (such as hiding events or deleting commands sent from the UI). Upon loading the layout file, a new command is sent and then deleted from the UI after 1s, hiding the actions from the user.
PoC
(see above)
Impact
Malicious commands could be sent without user knowledge.
Summary
Vision Space reported the template injection vulnerability was identified in the F' GDS Dashboard tab. his tab is
used so that users can create, save, and load their custom dashboard UI. However, this
input is directly inserted into a Vue template with no other parsing.
Vision Space has also documented this vulnerability as:
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Details
Crafting a layout file that includes and executes a malicious script at loading time is possible. A layout file with a javascript payload that will sent a cmdDisp.CMD_NO_OP_STRING command, with “Sent command from layout” as an argument. Once loaded, no further user interaction (other than the loading of the file) was required. The the layout file is for the demonstration was limited to 1Mb, which is enough to mimic any user interaction from the page and modify the behaviour of the entire UI to hide malicious actions in the background (such as hiding events or deleting commands sent from the UI). Upon loading the layout file, a new command is sent and then deleted from the UI after 1s, hiding the actions from the user.
PoC
(see above)
Impact
Malicious commands could be sent without user knowledge.