CleverTap Cordova Plugin 2.6.2 - Reflected XSS
9.3
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
CleverTap Cordova Plugin 2.6.2 - Reflected XSS
Code name
State
Public
Release date
Jul 14, 2023
Affected product
CleverTap Cordova Plugin
Affected version(s)
2.6.2
Vulnerability name
Reflected cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVSS v3.1 base score
9.3
Exploit available
Yes
CVE ID(s)
Description
CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.
This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.
Vulnerability
This vulnerability occurs because the the plugin does not correctly validate the data coming from the deeplinks before using them.
Exploitation requirements
In order to exploit the plugin, first we need a application that use the plugin.
How to Create an application that uses the plugin
Install Cordova.
Create a new project with Cordova.
Inside the directory of the new project we add the Android platform.
We compile the project to verify that everything is OK.
We also checked that the application runs correctly on a cell phone.
Everything is working fine!
Now we add the CleverTap Cordova Plugin following the instructions in the project repository.
With this we have the latest version of the plugin in our test application.
Now we must replace the content of the
www/js/index.jsfile with the example presented in the repository of the plugin.
In the Androidmanifest
platforms/android/app/src/main/AndroidManifest.xmladd an intent-filter like the following in theMainActivity:
Finally compile the application and install it on an Android device or emulator.
Exploitation
When having an application that uses the vulnerable plugin. The application must have an intent-filter similar to the following:
We create a malicious deeplink (payload) to exploit the vulnerability.
In a directory create the file
index.htmlwith the following content in which is included our "malicious deeplink".
On an http server expose the file created above. In this case, the exposed http server is only accessible from my own local network, so it can only be accessed by devices that are on this same network.
Then we send the link to the http server that exposes the file we created to the user via email.
On a device on the same network as the exposed http server, if the user clicks on
click me, the "HelloPOC" application that uses the plugin will be opened and will execute JavaScript code that displays an alert to the user with the text "Fluid Attacks POC".
Evidence of exploitation
Our security policy
We have reserved the CVE-2023-2507 to refer to this issue from now on. Disclosure policy
System Information
Version: CleverTap Cordova Plugin 2.6.2
Operating System: Android API 33
Mitigation
An updated version of CleverTap Cordova Plugin is available at the vendor page.
References
Vendor page https://github.com/CleverTap/clevertap-cordova
Timeline
Vulnerability discovered
Jun 19, 2023
Vendor Confirmed Vuln.
Jun 23, 2023
Vendor contacted
Jun 20, 2023
Public disclosure
Jul 14, 2023
