Java System Solutions SSO Plugin For BMC MyIT 4.0.13.1 Cross Site Scripting

2018.08.23
Credit: Marco Murch
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: ====== Reflected XSS in Java System Solutions SSO Plugin 4.0.13.1 for BMC MyIT Description: ============ Reflected Cross-Site Scripting in Java System Solutions' BMC MyIT SSO Plugin version 4.0.13.1 was identified during a penetration test. Other versions might be affected as well. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared link and hits the "Login" button. Proof-of-concept: ================= Open https://<hostname>/ux/jss-sso/arslogin?javascript:alert(%27Deloitte%20XSS%20PoC%27) and hit the "Login" button. Affected function: ================== function select_sso() { console.log('SSO login'); id('loginForm').action= 'javascript:alert(%27Deloitte%20XSS%20PoC%27)'; id('username').name= 'username'; id('password').name= 'password'; usingsso(true); Solution: ========= Contact vendor for fix. Disclosure Timeline: ==================== 2018-07-17: Vulnerability discovered 2018-07-17: Vulnerability reported to manufacturer 2018-07-17: Response from manufacturer that vulnerability is known and has been fixed, but refused to provide any details 2018-08-09: Requested CVE ID from MITRE; CVE-2018-15528 was reserved 2018-08-20: Public disclosure of vulnerability & notification to manufacturer Credits: ======== This security vulnerability was found by Marco Murch of Deloitte GmbH. E-Mail: mamu[DELETE_ME_:-)]rch[at]deloitte[dot]de


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top