RXSS in onpremises version of structurizr in structurizr/onpremises


Reported on

Oct 3rd 2023


During investigation it was found that onpremises api endpoint GET parameter version is vulnerable to XSS injection: /workspace/[workspaceid]?version=1;

Proof of Concept

1. Visit the link provided: http://<your-host>/workspace/1/?version=1%22);alert(1);
2. XSS injected


Javascript code execution in the context of user web browser.


As I understand the logic of app - ${workspace.internalVersion} should have only integer values:

We are processing your report and will contact the structurizr/onpremises team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
We have opened a pull request with a SECURITY.md for structurizr/onpremises to merge. 5 months ago
We have contacted a member of the structurizr/onpremises team and are waiting to hear back 5 months ago
structurizr/onpremises maintainer
5 months ago

Thanks - that's fixed in build 3194.

structurizr/onpremises maintainer validated this vulnerability 5 months ago
alexeymyasnikov has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
structurizr/onpremises maintainer marked this as fixed in 3194 with commit 6cff4f 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
workspace-summary.jsp#L239 has been validated
structurizr/onpremises maintainer
4 months ago

Hello, dear structurizr team. Could I request CVE assigning for the related vuln?

structurizr/onpremises maintainer
4 months ago

If you're referring to the graph.jsp vulnerability in the UI repo and you're going to credit the discovery and fix to us, sure, feel free to raise a new CVE. The fix commit is https://github.com/structurizr/ui/commit/8a0cf9564de6a4889c665998407c7de50046bdc8#diff-a981ee479c8ac3427947512bef5bbd17bc0132749b9ea15ed85bfed2958fc923 and the fixed build number is 3157.

structurizr/onpremises maintainer
4 months ago

No, I`m talking about workspace-summary.jsp and fix https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18

structurizr/onpremises maintainer
4 months ago

Could I request CVE assigning for the related vuln?

I'm not sure what you're asking. What does "CVE assigning" mean?

structurizr/onpremises maintainer
4 months ago

If I get it right this platform can be used to help in the process of CVE assigning. If the vulnerability provided by researcher is correct, you validated and fixed it - then it can be added to vulnerability database (https://cve.mitre.org/) and assigned with CVE-number by the host of this website. When you closed my report you decided to not assign CVE This vulnerability will not receive a CVE, 6 day ago. I am just asking to reconsider your decision and assign CVE to this vulnerability.

This is what the site host replied to me: "You can request from the maintainer in the comments section to assign a CVE and if they decide to, I can manually assign one on your behalf."

As I understand - this can be done somewhere from the website interface

structurizr/onpremises maintainer
4 months ago

Apologies, I've never used this platform before. I don't see any actions related to CVEs on the website interface ... just "Thank/Ban researcher" . I don't remember seeing anything when I added the fix build number/commit hash either. You're welcome to assign a CVE, but I have no idea how to do it I'm afraid.

structurizr/onpremises maintainer
4 months ago

Ok, no problems! For me this is also the first time of use. I think we can ask @admin for help.

Ben Harvie
4 months ago


CVE assigned as requested:)

to join this conversation