Wiz
Vulnerability DatabaseGHSA-cr3w-cw5w-h3fj

GHSA-cr3w-cw5w-h3fj
JavaScript vulnerability analysis and mitigation

Summary

  1. There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
  2. Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.Both vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).

Details

  1. The XSS vulnerability is here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887 Specifically, the name parameter is inserted into the pages breadcrumbs without sanitization.
  2. The Command Injection happens here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382

PoC

  1. A minimal PoC for the XSS can be as simple as: http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A (assuming saltcorn running at localhost:3000 and the user having an active admin session)
  2. For the Command Injection, visit the backup section of saltcorn, set an admin password like ";$(whoami);" (including the quotation marks) and then click "Download a backup" in the "Manual backup" section. This should display an error page saying that /bin/sh could not find the binary named "root" or "saltcorn", depending on the user.An example of an exploit that chains both vulnerabilities and generates the aforementioned malicious link:exploit.zip

Affected Versions

Edit: The following Docker containers from docker hub were tested: 1.4.1, 1.4.0, 1.3.1, 1.3.0, 1.2.0, 1.1.2, 1.1.1, 1.0.0 The Command Injection is applicable to versions >= 1.3.0. The XSS is applicable to versions >= 1.1.1

SourceNVD

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-cr3w-cw5w-h3fjCRITICAL9.6
  • JavaScriptJavaScript
  • @saltcorn/server
NoYesJan 26, 2026
CVE-2026-24131MEDIUM6.7
  • JavaScriptJavaScript
  • pnpm
NoYesJan 26, 2026
CVE-2026-24056MEDIUM6.7
  • JavaScriptJavaScript
  • pnpm
NoYesJan 26, 2026
CVE-2026-23890MEDIUM6.5
  • JavaScriptJavaScript
  • pnpm
NoYesJan 26, 2026
CVE-2026-23889MEDIUM6.5
  • JavaScriptJavaScript
  • pnpm
NoYesJan 26, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo