app: connect-app (cdu) (version: 3.8)
cross-site scripting in the registration form name variables. Remote attackers can inject js payloads as name variables to exploit the frontend in the profile view and potentially execute in the backend via the preview. Uncertainty in validating object names in outbound emails, causing the context to be validated insecurely. This allows reflected execution in the message body of the email where the name variable is visible. You can see in the main validation how the developers have tried to parse and encode the content with backslashes and other characters. In this way, the type of validation can easily be bypassed by using simple frames with a source that points to a external link. We have tested this in the portal where the code is executed, we have tested it in the outgoing service emails that insert the name variably in the email body, and we have also tested the stored content that was submitted via the API. All contents was transmitted insecurely and can be manipulated to trigg
er simple cross-site scripting payloads, hijack user session credentials or manipulate outbound emails with reflected malicious content on the application side.
We decided to bring the issue directly to the public after the CDU opened a court case to criminalise a German hacker following a Whitehat report. Normally we wanted to report the vulnerabilities directly via Responsible Disclosure, but were deterred by incidents mentioned above. These did not stop us but we therefore chose another way to make noise.
ref: https://www.golem.de/news/connect-app-cdu-verklagt-offenbar-hackerin-nach-melden-von-luecken-2108-158647.html
ref: https://www.golem.de/news/connect-app-cdu-nimmt-wahlkampf-app-nach-datenleck-offline-2105-156471.html
greetz to cdu
by team smackback