Content here will be expanded on upon later, for now this serves as a quick description and write-up.
Overview
Dundas BI server has two stable release versions available for download for customers. Version 7.0.2.1009 and Version 8.0.0.1001. Both product versions contain persistent cross-site scripting (XSS) vulnerabilities in the same location.
Version 7.0.2.1009
HTML Label
An authenticated attacker may insert malicious Javascript code in an HTML label when creating or editing a dashboard. To do this:
- User must be authenticated and have proper permissions to edit or create a dashboard.
- In the dashboard editing screen, click on Components and select “HTML Label”.
- Insert code. PoC: <script>alert(‘XSS’)</script>.
![](https://mattschmidt.net/wp-content/uploads/2020/11/version7.png)
![](https://mattschmidt.net/wp-content/uploads/2020/11/html-box-xss-1.png)
![](https://mattschmidt.net/wp-content/uploads/2020/11/xss-executing.png)
Button XSS
![](https://mattschmidt.net/wp-content/uploads/2020/11/v7-button.png)
![](https://mattschmidt.net/wp-content/uploads/2020/11/v7-button-xss.png)
Version 8.0.0.1001
The same vulnerabilities exists within the latest deployment of Dundas.
![](https://mattschmidt.net/wp-content/uploads/2020/11/version8.png)
HTML Label XSS
![](https://mattschmidt.net/wp-content/uploads/2020/11/version8-xss.png)
![](https://mattschmidt.net/wp-content/uploads/2020/11/xss-executing-1.png)
Button XSS
- Click Components and add a button.
- Select the button.
- Click properties and select Click (or another action such as “Double Click”, “hover”, etc.)
- Insert script and click “Build”.
![](https://mattschmidt.net/wp-content/uploads/2020/11/button-xss-2.png)
![](https://mattschmidt.net/wp-content/uploads/2020/11/v8-button-xss-execute.png)