CVE-2022-21649 – CVE-2022-21649 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2022-21649?

CVE-2022-21649 has a CVSS score of 7.6 (HIGH). CVE-2022-21649 is a stored cross-site scripting (XSS) vulnerability in Convos chat software where URLs starting with 'https://' in chat messages are improperly sanitized, allowing attackers to inject malicious scripts. The vulnerability affects all Convos users who view chat messages containing crafted malicious links. Attackers can execute arbitrary JavaScript in victims' browsers when they interact with the malicious chat messages.

📋 TL;DR

CVE-2022-21649 is a stored cross-site scripting (XSS) vulnerability in Convos chat software where URLs starting with 'https://' in chat messages are improperly sanitized, allowing attackers to inject malicious scripts. The vulnerability affects all Convos users who view chat messages containing crafted malicious links. Attackers can execute arbitrary JavaScript in victims' browsers when they interact with the malicious chat messages.

💻 Affected Systems

Products:

Convos

Versions: All versions before commit 86b2193de375005ba71d9dd53843562c6ac1847c

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Convos deployments with the vulnerable code are affected regardless of configuration. The vulnerability exists in how URLs are processed in chat messages.

📦 What is this software?

Convos by Convos

View all CVEs affecting Convos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or deploy malware through the chat interface affecting all users of the vulnerable Convos instance.

🟠

Likely Case

Attackers inject malicious scripts to steal session tokens or credentials from logged-in users, potentially compromising their accounts and accessing private chat conversations.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have the ability to post chat messages. Public proof-of-concept demonstrates the vulnerability using onfocus and autofocus attributes in crafted URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 86b2193de375005ba71d9dd53843562c6ac1847c

Vendor Advisory: https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7

Restart Required: Yes

Instructions:

1. Update Convos to the latest version or apply commit 86b2193de375005ba71d9dd53843562c6ac1847c. 2. Restart the Convos service. 3. Verify the fix by checking that URLs with malicious attributes are properly escaped.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side filtering to escape double quotes in URL attributes before processing chat messages.

Modify Convos source code to add proper escaping for double quotes in URL processing functions

🧯 If You Can't Patch

Disable URL auto-linking in chat messages configuration
Implement web application firewall (WAF) rules to block malicious script injection patterns

🔍 How to Verify

Check if Vulnerable:

Test by posting a chat message containing: https://example.com" onfocus="alert('XSS')" autofocus. If an alert triggers when focusing the link, the system is vulnerable.

Check Version:

Check Convos version in web interface or review git commit hash if self-hosted

Verify Fix Applied:

After patching, test with the same malicious URL. The link should render as plain text or properly escaped HTML without executing JavaScript.

📡 Detection & Monitoring

Log Indicators:

Chat messages containing unusual URL patterns with onfocus/autofocus attributes
Multiple failed JavaScript execution attempts in browser console logs

Network Indicators:

Unusual outbound connections from chat users' browsers to external domains following chat interactions

SIEM Query:

search 'chat_message' AND ('onfocus' OR 'autofocus' OR 'javascript:') in application logs

📊 Metadata

CVE ID: CVE-2022-21649

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-79

Published: January 4, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability Broken Link,Third Party Advisory
https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c Patch,Third Party Advisory
https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7 Patch,Third Party Advisory
https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/ Exploit,Patch,Third Party Advisory
https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability Broken Link,Third Party Advisory
https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c Patch,Third Party Advisory
https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7 Patch,Third Party Advisory
https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/ Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21649, you might also want to check these: