Thycotic, a maker of access-control and other security products, has patched a stored cross-site scripting vulnerability in one of its products that could enable an attacker to steal a victim’s stored passwords.
The vulnerability is in the company’s Secret Server product, which is designed to provide password management for enterprises. Marco Delai, a researcher at Compass Security in Switzerland, discovered the stored XSS flaw in the software and reported it to the company.
“The identified vulnerability (stored Cross-Site Scripting) allows the execution of JavaScript code in the browser of a valid user when it toggle the password mask on a specially crafted password. This allows, for example, an attacker to prepare a specially crafted shared password, which when read by another user, can steal all other passwords the victim has access to,” the advisory says.
The bug affects versions 8.6.000000 to 8.8.000004 of Thycotic Secret Server and is patched in version 8.8.000005.
Delai said in the advisory that exploiting the vulnerability is a simple process.
“Create a new password entry within Secret Server with the following value: “Compass Security<script>alert(“Compass Security”)</script>”. Open the basic dashboard and toggle the password mask. The password is retrieved from the server using an AJAX call and its value is added straight to the page’s DOM without validation. Thus, the script included in step 1 is executed,” the advisory says.
Stored XSS attacks involve an attacker storing the malicious code o a target server, which the victim then hits at some point, leading to the exploit of the vulnerability.