ebankIT 6 Cross Site Scripting

2023.04.30
Credit: Jake Murphy
Risk: Low
Local: No
Remote: No
CWE: CWE-79

CVE-2023-30454 [Description] An issue was discovered in ebankIT before version 7. Document Object Model based XSS exists within the /Security/Transactions/Transactions.aspx endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be passed to an eval() function and executed upon pressing the continue button. ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] ebankIT ------------------------------------------ [Affected Product Code Base] ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7 ------------------------------------------ [Affected Component] The endpoint existing at: /Security/Transactions/Transactions.aspx ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] I discovered a Document Object Model-based Cross-Site Scripting issue within the ebankIT platform. While manually inspecting the client-side JavaScript code I came across the variable JSONText. This variable was using the eval function to parse data passed to it through the accobj variable. Knowing the eval function evaluates text as JavaScript, I proceeded to locate exactly what data was passed to this variable. I found that the data could be supplied by a user during a Transfer request (on /Security/Transactions/Transactions.aspx), when selecting which account to transfer from. To execute this XSS, I intercepted our test user s Transfer request, supplied my own custom JavaScript alert(4) in the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter, and pressed the continue button which resulted in the payload successfully executing. ------------------------------------------ [Discoverer] Jake Murphy


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top