An XSS vulnerability was uncovered in jExperience administration UI. By exploiting the vulnerability, an attacker can submit javascript code that will be executed by another user navigating through jExperience administration UI (potentially using his/her privileges).

At the time of writing (April 10, 2024), the vulnerability is not publicly disclosed and no CVEs nor public exploits exists.

Impacted versions

• All versions of jExperience 2x below 2.10.1 (except 2.7.3) or jexperience 3x below 3.3.1 are impacted by the vulnerability.

The vulnerability is limited to jExperience administration UI. jExperience dashboards relying on Kibana (kibana-dashboards) and other Jahia Administration UI are not impacted.

Upgrading jExperience

This issue was addressed in three releases of jExperience:

• jExperience 3.3.1 (aimed at environments using jExperience > 3.0.0+)
• jExperience 2.10.1 (aimed at environments using jExperience 2.8.0 -> 2.10.0)
• jExperience 2.7.3 (aimed at environments using jExperience 2.6.0 -> 2.7.2)

Customers are strongly encouraged to upgrade to one of these versions which aim at providing a simple upgrade path for all customers using jExperience 2.6.0+.

Detection

Jahia is not aware of a legitimate use-case for Javascript code to be present in jCustomer data, therefore it is possible to test for the present of javascript tags in Elasticsearch documents to detect if an attacker tried to exploit the vulnerability.

There are multiple ways for Javascript to be declared, one simple test is to check for the presence of <script> tags:

curl --request POST \
  -u USERNAME:PASSWORD \
  --url http://ELASTICSEARCH_HOST:9200/_all/_search \
  --header 'Content-Type: application/json' \
  --data '{
        "query": {
                "query_string": {
                        "query": "*script*"
                }
        },
        "size": 10,
        "from": 0,
        "sort": []
}'

Additional searches can be performed using more advanced (or different) strings, the following page provides examples about ways to exploit XSS vulnerabilities, you can use it to extend your search for Javascript code in Elasticsearch documents.

Note that the presence of Javascript code in Elasticsearch document does not demonstrate that an exploit was successful but we do recommend reviewing the returned documents (if any) to understand the attacker's goal.

Mitigation

Mitigation options are limited for this vulnerability, the following actions can be taken until the upgrade to a version of jExperience containing the fix is complete:

• Look for the presence of Javascript in your Elasticsearch document, it will provide indications on whether there were exploit attempts. If present, download these for analysis, then delete the documents.
• Ensure users visiting jExperience administration UI have the least amount of privileges required for their activities.