low

Elastic Beanstalk - XSS in Web Console

Published Thu, Jun 3rd, 2021
Platforms

Summary

An adversary could gain access to IAM credentials in a victim's account, and make an API request to Elastic Beanstalk (even if they didn't have the proper IAM permissions). This request would be displayed in the management console in the Elastic Beanstalk section. Due to improper sanitization, an attacker could insert an XSS payload that would execute in a victim's browser.

Affected Services

AWS Management Console

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Sat, Mar 13th, 2021
Exploitablity Period
March 2021 - June 2021
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Nick Frichette, null