Описание
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Summary
A cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.
Impact
If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.
A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.
This issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.
Patches
- 4.78.2
- 4.77.1
- 4.76.2
- 4.75.2
- 4.53.3
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
For more information
If you have any questions or comments about this advisory:
Email us at security@fleetdm.com Join #fleet in osquery Slack
Credits
We thank @secfox-ai for responsibly reporting this issue.
Пакеты
github.com/fleetdm/fleet
>= 4.78.0, < 4.78.2
4.78.2
github.com/fleetdm/fleet
>= 4.77.0, < 4.77.1
4.77.1
github.com/fleetdm/fleet
>= 4.76.0, < 4.76.2
4.76.2
github.com/fleetdm/fleet
>= 4.75.0, < 4.75.2
4.75.2
github.com/fleetdm/fleet/v4
< 4.43.5-0.20260111020427-0e6c790803d1
4.43.5-0.20260111020427-0e6c790803d1
Связанные уязвимости
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.