StackStorm st2web Web UI CORS Protection Mechanism Bypass Cross-Site Scripting Vulnerability

A vulnerability in the StackStorm st2web Web UI could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the targeted system.

The vulnerability exists because the affected software mishandles Cross-Origin Resource Sharing (CORS) headers, which could cause the CORS protection mechanism to be bypassed. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to conduct an XSS attack on the targeted system, which could lead to the execution of arbitrary script code in the context of the targeted user’s browser or allow the attacker to access sensitive browser-based information.

StackStorm has confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2019-9580

Source:: Cisco Multivendor Vulnerability Alerts