# Vulnerability type: Cross-site Scripting
# Vendor: https://www.unit4.com/
# Product: Financials by Coda
# Product site: https://www.unit4.com/fr/products/financial-management-software
# Affected version: < 2023Q4
# Fixed version: 2023Q4
# Credit: Léo DRAGHI
# CVE: CVE-2024-28734
# PROOF OF CONCEPT
The /coda/frameset endpoint, accessible by any unauthenticated user, reflects the value of the cols parameter.
Since this value is not properly sanitized and encoded when the web page is rendered, this could allow a malicious actor to execute JavaScript code in the context of another user's browser by only sending to a victim a malicious link.
GET /coda/frameset?cols="><frame%20src="javascript:alert('XSS')"> HTTP/2
Host: <target>
# TIMELINE
– 30/10/2023: Vulnerability found
– 02/11/2023: Vendor informed
– 05/12/2023: Vendor fixed the issue
– 14/03/2024: Public disclosure