CVE-2022-31113 is a Cross-Site Scripting (XSS) vulnerability identified in the Canarytokens project by thinkst. Canarytokens is an open-source tool designed to help organizations track unauthorized activity and actions within their networks by deploying unique, trackable tokens (such as URLs) that alert the creator when triggered. The vulnerability exists specifically in the history page of triggered Canarytokens hosted on the canarytokens.org domain. When a Canarytoken is triggered, its activation details are recorded and displayed on this history page. Due to improper neutralization of input during web page generation (CWE-79), an attacker who discovers an HTTP-based Canarytoken URL can inject malicious JavaScript code into the history page. This JavaScript executes when the Canarytoken creator later views the history page, enabling the attacker to perform actions such as disabling or deleting the affected Canarytoken, viewing its activation history, or extracting sensitive information about the Canarytoken creator. For instance, the attacker could recover the email address associated with the Canarytoken or redirect the creator to an attacker-controlled Canarytoken, potentially revealing the creator's network location. Importantly, the vulnerability is limited in scope: it only affects the specific discovered Canarytoken and does not expose other Canarytokens or creators. The issue has been patched in the latest release and on canarytokens.org, and no evidence of exploitation in the wild has been found. Users are strongly advised to upgrade to the patched version as no workarounds exist.

For European organizations using Canarytokens, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of their deception infrastructure. Successful exploitation could allow attackers to disable or delete specific Canarytokens, reducing the effectiveness of network monitoring and early intrusion detection. Additionally, attackers could gain sensitive information about the Canarytoken creator, such as email addresses or network location data, potentially facilitating targeted phishing or reconnaissance campaigns. While the vulnerability does not directly compromise broader network assets, the degradation of deception capabilities could delay detection of intrusions, increasing the risk of prolonged unauthorized access. Given that Canarytokens are often deployed by security teams to detect insider threats or external attackers, this vulnerability could undermine trust in these detection mechanisms. However, the impact is limited by the need for the attacker to have prior knowledge of a specific Canarytoken URL and the requirement that the creator visits the history page, which somewhat constrains exploitation opportunities.

To mitigate this vulnerability, European organizations should immediately upgrade to the latest patched version of Canarytokens that addresses CVE-2022-31113. Since no workarounds exist, patching is the only effective measure. Organizations should audit their deployed Canarytokens to identify any that may have been exposed or triggered prior to patching and consider redeploying new tokens to replace potentially compromised ones. Additionally, organizations should restrict access to the Canarytoken history pages to trusted personnel only, ideally enforcing strong authentication and network segmentation to limit exposure. Monitoring access logs for unusual activity on these pages can help detect potential exploitation attempts. Security teams should also educate users responsible for managing Canarytokens about the risks of visiting history pages from untrusted networks or devices to reduce the risk of drive-by attacks. Finally, incorporating Content Security Policy (CSP) headers and input sanitization best practices in any custom Canarytoken deployments can further reduce XSS risks.