| Titel | Radware Cyber Controller <=~10.11.0 Cross Site Scripting |
|---|
| Beschreibung | Title:
Stored Cross-Site Scripting (XSS) leading to Server-Side Request Forgery (SSRF)
Vulnerability Type
- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
- CWE-918: Server-Side Request Forgery (SSRF)
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the report generation component of the web application. User-controlled input is stored and later rendered in HTML reports without proper output encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript that is executed when another user or the server-side report renderer loads the generated report.
Because the report generation feature also performs server-side rendering of HTML content (for example when exporting reports to PDF/HTML), the injected payload can force the backend renderer to load attacker-controlled resources or internal network endpoints. This behavior can be leveraged to trigger Server-Side Request Forgery (SSRF), allowing an attacker to coerce the application server into making arbitrary HTTP requests to internal or external systems.
In environments where the report renderer has network access to internal infrastructure, this vulnerability may enable internal network discovery, access to metadata services (e.g., cloud instance metadata), or interaction with otherwise inaccessible internal services.
Affected Component
Report generation module responsible for exporting reports in HTML or PDF format.
Affected Versions
All versions prior to the patched release where user-supplied report fields are rendered without proper HTML escaping during report generation.
Attack Vector
Remote, authenticated (depending on report creation permissions).
An attacker able to submit or modify report content can persist malicious HTML/JavaScript that will later be rendered by users or backend rendering engines.
Technical Description
The application stores user-provided data (for example report names, group names, descriptions, or other metadata fields) and later embeds this content directly in the generated HTML report template.
The application does not perform proper output encoding before injecting these values into the HTML structure. As a result, arbitrary HTML elements can be injected into the report content.
When the report is viewed in a browser, the injected HTML is interpreted by the browser. When the report is rendered server-side (headless Chromium in that case), the injected HTML elements can trigger network requests from the server.
Attackers can abuse HTML elements that automatically load remote resources, such as:
- img
- iframe
- link
- script
- video
- object
If the backend renderer resolves these resources, the attacker can trigger SSRF requests originating from the application server.
In particular, the vulnerability can be abused using dangling markup techniques or external resource references to force requests toward internal endpoints.
Example attack scenarios include:
1. Internal network scanning through blind SSRF.
2. Access to internal administrative services.
3. Access to cloud metadata endpoints (e.g., http://x.x.x.x).
4. Interaction with internal APIs not accessible externally.
Proof of Concept (PoC)
Step 1 – Inject malicious payload in a stored field (e.g., report name or group name):
"><img src="http://attacker-controlled-domain.com/ssrf-test">
Step 2 – Save the report.
Step 3 – Trigger the report generation feature (HTML or PDF export).
Step 4 – The backend renderer processes the HTML and attempts to fetch the external resource specified in the img tag.
Step 5 – The attacker observes the incoming HTTP request on their controlled server.
Example payload for internal probing:
"><img src="http://127.0.0.1:8080/internal">
Example payload targeting cloud metadata:
"><img src="http://x.x.x.x/latest/meta-data/">
Example blind SSRF detection payload:
"><img src="http://attacker.example.com/ssrf?source=report_renderer">
Observed Behavior
When the report is generated, the backend renderer resolves the external resource. The attacker-controlled server receives a request originating from the application server, confirming SSRF capability.
Expected Behavior
User-supplied content should be safely encoded before being inserted into HTML templates. Additionally, server-side rendering engines should restrict outbound network access or sanitize embedded external resource references.
Impact
Security Impact
- Stored XSS affecting users viewing the generated report.
- Server-Side Request Forgery through server-side HTML rendering.
- Potential access to internal services not exposed externally.
Possible Consequences
- Internal network reconnaissance.
- Access to internal APIs.
- Access to cloud instance metadata.
- Exposure of sensitive infrastructure endpoints.
- Potential chaining with additional vulnerabilities.
If the renderer runs in a privileged environment with broad network access, the vulnerability may significantly expand the attack surface of the infrastructure.
Disclosure Timeline
2026-03-28 – Vulnerability discovered during authorized penetration testing
2026-03-30 – Vendor notified with technical details and PoC
Credits:
Aquamulot |
|---|
| Benutzer | Anonymous User |
|---|
| Einreichung | 26.05.2026 13:58 (vor 28 Tagen) |
|---|
| Moderieren | 21.06.2026 07:57 (26 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 372606 [Radware Cyber Controller bis 10.11.0 HTML Report Generation HTML injection] |
|---|
| Punkte | 17 |
|---|