Beego has patched a severe cross-site scripting (XSS) vulnerability that could lead to the compromise of a victim’s session or account.
Beego is an open source framework designed for building and developing applications in the Golang (Go) programming language, including RESTful APIs and backend systems.
The modular web framework includes features for code compilation, automated testing, and both the packing and deployment of Go builds. The Beego project is available on GitHub.
Last month, application security researcher Omri Inbar, who is also a member of the Checkmarx team, disclosed the XSS vulnerability to Beego.
Tracked as CVE-2021-39391, the bug, of which a CVSS score is yet to be assigned, was found in the administration panel of Beego v2.0.1.
Speaking to The Daily Swig, Inbar said that when a user navigates to a page on a website managed by the framework, the request details – such as the requested URL and Method type – are then logged and stored on the ‘Request Statistics’ page in the administrator panel.
However, it was possible for attackers to try to navigate to a page that did not exist while including a payload – such as HTML tags or JavaScript – and, as there is a lack of sanitization, this would then be forwarded to the Request Statistics page and would run on the admin’s browser.
Blind XSS
This form of attack is known as a blind XSS (a variant of a stored XSS) because the potential victim needs to run a payload before the attacker knows whether or not the code has successfully been executed.
In this case, it could be that a threat actor would be able to hijack accounts by stealing session cookies, initiate activities based on the victim’s privilege level, and more.
Inbar reported the flaw on August 15. Beego acknowledged the bug a day later and committed a fix on the same day. The CVE was assigned on September 15.
Beego v2.0.2 contains a fix for the vulnerability.
Source: https://portswigger.net/daily-swig/beego-patches-severe-xss-vulnerability-in-open-source-web-framework
