WebCTRL OEM 6.5 Cross Site Scripting

2021.10.29
Credit: 3ndG4me
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) # Date: 4/07/2021 # Exploit Author: 3ndG4me # Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/ # Version: 6.5 and Below # CVE : CVE-2021-31682 --Summary-- The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. Automated Logic https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/ --Affects-- - WebCTRL OEM - Versions 6.5 and prior --Details-- The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to: - Hijacking a user's session - Using XSS payloads to capture input (keylogging) -- Proof of Concept -- The following URL parameter was impacted and can be exploited with the sample payload provided below: - https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script> --Mitigation-- Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. --Timeline-- - 4/07/2021: XSS Vulnerability was discovered and documented. - 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication. - 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability. - 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product. - 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top