Advisory ID: SYSS-2020-009 Product: PrimeFaces Manufacturer: PrimeTek Affected Version: 7.0.11 Tested Version: 7.0.11 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2020-03-04 Solution Date: 2020-03-04 Public Disclosure: 2020-03-31 CVE Reference: CVE-2020-10544 Author of Advisory: Timothy Mason, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: PrimeFaces is an open source JSF component suite. More precisely, it is a UI library used in Java EE systems. The manufacturer describes the product as follows (see [1]): "PrimeFaces is a popular open source framework for JavaServer Faces featuring over 100 components, touch optimized mobilekit, client side validation, theme engine and more." Due to missing user input validation, the tooltip function is vulnerable to cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The target title of a tooltip is not escaped. Therefore, it is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In a web application using PrimeFaces, an attacker can provide JavaScript code (e.g. the test vector ) in corresponding input fields whose data is later used as tooltip titles without any input validation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to the last committed version 8.0. According to feedback we received, the non-free version 7.0.13 fixes the issue as well. More information: https://github.com/primefaces/primefaces/issues/5642 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-03-03: Vulnerability discovered 2020-03-04: Vulnerability reported to manufacturer 2020-03-04: Patch released by manufacturer 2020-03-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PrimeFaces https://www.primefaces.org/ [2] SySS Security Advisory SYSS-2020-009 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-009.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Timothy Mason of SySS GmbH. E-Mail: timothy.mason@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Timothy_Mason.asc Key ID: A5F2CA5BC5278321 Key Fingerprint: 9CB7 5679 1B53 9C75 1F5E 1B2D A5F2 CA5B C527 8321 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en