An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA, BleepingComputer reported today.
Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project.Security researcher Jackson Henry of the Sakura Samurai ethical hacking group had first discovered and reported the vulnerability to Apache in early October, 2020.
Although the project had acknowledged Henry’s report and issued a publicly visible fix on GitHub on November 5th, 2020, a proper public disclosure never took place which left Sakura Samurai researchers concerned.
Commenting on the news, Craig Young, principal security researcher at Tripwire, explained:
The vulnerability in question is a case of reflected cross-site scripting. With this type of weakness, the attacker prepares a malicious link and must convince victims to load this malicious address link in their browsers.
The impact of a reflected cross-site scripting generally varies based on whether the victim of an attack was authenticated to the affected site. If a logged-on user loads an attack URL, the attacker will be able to perform actions on the affected site using the victim’s account.
Besides using cross-site scripting for privilege escalation, an attacker might use this vulnerability to spoof content on vulnerable sites. For example, someone looking to spread conspiracy theories online could prepare links which make it look like official government web sites are confirming wild conspiracy theories. It’s also possible to imagine other, more targeted, attacks leveraging this style of spoofing attack.