HTML injection risk in Description on PVE GUI

[pghv]

You can set arbitrary text in the description config entry of a VM and this will show up in the GUI's Notes field, via:

qm set 1000 --description "stuff"

I am using this for metadata on the VM, ie:

Stuff

stuff 2
<metadata>e2NpZGlza19oYXNoOiBjNDVhMzhjYWE0NDg3NTAzNmZmNmIxMTRjZWRhNTdlZDFhMjZjOWI1fQo=</metadata>

When I view the PVE GUI's Notes field, it is not HTML-encoded, so the source code of the actual page now has a <metadata> in the web page source code. This is a security vulnerability as a malicious admin could inject HTML code into admins' browsers.

 

[fba]

You should create an entry at https://bugzilla.proxmox.com/ for this to get it evaluated by the developers.

 

[fabian]

for future reference, we do have an established security reporting channel:

https://pve.proxmox.com/wiki/Security_Reporting

the notes view is using a special markdown parser defined here:

https://git.proxmox.com/?p=proxmox-...1aff65080073065eb700d8868653a9adde83f;hb=HEAD

it forbids many HTML tags and mangles others, if you find a problematic input that actually breaks the guarantees it is supposed to provide (no XSS or breaking rendering of anything not inside the notes), please report it to us directly via the address mentioned in our security reporting guidelines.