CVE-2021-32828: 
Java vulnerability analysis and mitigation

CVE-2021-32828 is a security vulnerability discovered in the Nuxeo Platform, an open-source content management platform for building business applications. The vulnerability was identified in version 11.5.109, specifically affecting the oauth2 REST API. The issue was discovered on April 28, 2021, reported to Nuxeo on April 29, 2021, and was fixed by June 7, 2021 (GitHub Security Lab).

The vulnerability is a Reflected Cross-Site Scripting (XSS) in the /oauth2/{serviceProviderName}/callback REST endpoint. The technical root cause stems from the endpoint not using the @Produces annotation or an explicit call to Response.type() to limit the content type of the HTTP response. This allows an attacker to supply content-type through the Accept header, which Jersey uses to determine the response content type. The vulnerability can be triggered when a logged-in user visits the compromised endpoint (GitHub Security Lab).

The vulnerability's impact is severe as it can lead to Remote Code Execution (RCE). Because Nuxeo exposes a powerful automation API, attackers can leverage the XSS to reach the runScript endpoint or any automation endpoint that accepts expr parameters. This allows execution of arbitrary JavaScript code and subsequent access to the automation API for running arbitrary system commands (GitHub Security Lab).

The vulnerability was fixed in a security update released on June 7, 2021. Nuxeo requested to postpone the public disclosure until June 15, 2021, to allow users sufficient time to upgrade their systems (GitHub Security Lab).