Advisory ID: SYSS-2019-054 
Product: Domino Data Science Platform
Manufacturer: Domino Data Lab
Affected Version(s): <3.6.99
Tested Version(s): 3.6.11, 3.6.99
Vulnerability Type: Cross-Site Scripting (CWE-79) 
Risk Level: Medium
Solution Status: Resolved
Manufacturer Notification: 2019-12-20
Solution Date: 2020-02-04
Public Disclosure: 2020-03-23
CVE Reference: Not yet assigned
Author of Advisory: Kien-Van Quang, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The manufacturer describes the product as follows (see [1]):

"Domino automates DevOps for data science, so you can spend more time doing research and test more ideas faster. 
Automatic tracking of work enables reproducibility, reusability, and collaboration."

Due to a missing input sanitization, it is vulnerable to cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The collaboration in groups requires the exchange of information, for example in a discussion.
For this purpose, the application provides a comment functionality which does not sanitize the given input.
This allows an attacker with a valid login to inject scripts into the discussion site.
Whenever a user visits the corresponding site, the script gets executed in the user's context.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Login into the web application front end.
Type the following payload into any discussion field as a comment provided by the application:

<script>alert("XSS")</script>

Whenever a user calls up the page, JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:
Update to newer version (>3.6.99)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-12-19: Vulnerability discovered
2019-12-20: Vulnerability reported to manufacturer
2019-12-20: Reply from manufacturer
2020-01-29: Vulnerability resolved
2020-03-23: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Domino Data Labs
    https://www.dominodatalab.com/
[2] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Kien-Van Quang of SySS 
GmbH.

E-Mail: kien-van.quang@syss.de

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en