Financials By Coda Cross Site Scripting

2024.03.16

Credit: Leo Draghi

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2024-28734

CWE: CWE-79

# Vulnerability type: Cross-site Scripting
# Vendor: https://www.unit4.com/
# Product: Financials by Coda
# Product site: https://www.unit4.com/fr/products/financial-management-software
# Affected version: < 2023Q4
# Fixed version: 2023Q4
# Credit: Léo DRAGHI
# CVE: CVE-2024-28734
# PROOF OF CONCEPT
The /coda/frameset endpoint, accessible by any unauthenticated user, reflects the value of the cols parameter.
Since this value is not properly sanitized and encoded when the web page is rendered, this could allow a malicious actor to execute JavaScript code in the context of another user's browser by only sending to a victim a malicious link.
GET /coda/frameset?cols="><frame%20src="javascript:alert('XSS')"> HTTP/2
Host: <target>
# TIMELINE
– 30/10/2023: Vulnerability found
– 02/11/2023: Vendor informed
– 05/12/2023: Vendor fixed the issue
– 14/03/2024: Public disclosure

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Financials By Coda Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.