HTML Injection in Vaultwarden

An HTML injection vulnerability was found in Vaultwarden version 1.30.3 (or earlier). We have reported this vulnerability to the developer, who addressed the issue and fixed the vulnerability in version 1.32.0.

Description

Vaultwarden is shipped with an Admin dashboard. This functionality can be enabled following the instructions described here:

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page

Once activated, the Vaultwarden admin dashboard is available at /admin. Vaultwarden admin dashboard features a page for user management. For users that are members of an organization, the admin could quickly change the role assignment using a modal dialogue.

This modal dialogue is vulnerable to HTML injection. Payloads can be injected in the field Organization and User. To demonstrate the issue, the following payload was stored in the field Organization.

<div style=position:absolute;width:100%;height:100%;background:red;z-index:9>Foobar</div>

The injected payload was parsed as HTML code and rendered on the vulnerable page:

Note that by default, Vaultwarden uses a very strict Content-Security-Policy (CSP). This CSP successfully prevents attempts to execute JavaScript via the injected HTML code.

content-security-policy: 
default-src 'self'; 
base-uri 'self'; 
form-action 'self'; 
object-src 'self' blob:; 
script-src 'self' 'wasm-unsafe-eval'; 
style-src 'self' 'unsafe-inline'; 
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; 
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; 
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; 
img-src 'self' data: https://haveibeenpwned.com ; 
connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;

A certain exploitability is nevertheless possible. For example, the following payload could be used to redirect affected users to any other pages when the dialog is called up.

<meta name=language content=1;https://mgm-sp.com HTTP-EQUIV=refresh />

The vulnerable source code can be found here: https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201

Assigned CVE

https://nvd.nist.gov/vuln/detail/CVE-2024-39926

Affected Component

https://github.com/dani-garcia/vaultwarden/

Attack Type

Remote

Impact Code Execution

True

Attack vectors

To exploit the vulnerability, the user needs to click on a malicious link prepared by the attacker.

Reference

https://github.com/dani-garcia/vaultwarden/pull/4737

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Discoverer

Mirko Richter (mgm security partners), Tuyen Thuc Nguyen (mgm securitry partners)