Omada Identity Cross Site Scripting

2024.12.09
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

SEC Consult Vulnerability Lab Security Advisory < 20241127-0 > ======================================================================= title: Stored Cross-Site Scripting product: Omada Identity vulnerable version: <v15U1, <v14.14 hotfix #309 fixed version: v15U1, v14.14 hotfix #309 CVE number: CVE-2024-52951 impact: Medium homepage: https://omadaidentity.com/products/omada-identity/ found: 2024-03-20 by: Daniel Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Omada Identity is a modern, enterprise-ready IGA solution that is deployed on-premises, giving you full control over your data and security. Our solution is easy to use, highly customizable, and gives you complete visibility into your environment without having to write a single line of code but is completely customizable to address any requirement. With built-in automation features, Omada Identity can help you streamline your workflows, improve efficiency, and strengthen your security posture." Source: https://omadaidentity.com/products/omada-identity/ Business recommendation: ------------------------ Upgrade to version v15U1 or install hotfix #309 for v14.14. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Stored Cross-Site Scripting (CVE-2024-52951) An authenticated user can inject JavaScript in the "Request Reason". The injected JavaScript code will be executed if another user looks at the "History" of this access request. An attacker can then execute arbitrary JavaScript in the browser of other users which could for example be used for phishing attacks. Proof of concept: ----------------- 1) Stored Cross-Site Scripting (CVE-2024-52951) An authenticated user can submit an access request and has to specify a reason why the access should be provided. <1-1_request_access.png> This request has to be intercepted and modified, e.g.: -------------------------------------------------------------------------------- POST /workitemdlg.aspx?ACTTEMP=XXX&RURLID=YYY HTTP/1.1 Host: $SERVER Cookie: oissessionid=$MYSESSION [...] Content-Type: application/x-www-form-urlencoded [...] 1000104=Need+hello+access+and+bigfun<iframe+src=javascript:alert(document.domain)></iframe>&1000102=I+would+like+to+request+access+to+%5Bspecify+system%5D+so+I+can+perform+my+%5Bspecify+duties%5D+duties+related+to+my+work+as+a+%5Bspecify+position%5D. [...] -------------------------------------------------------------------------------- Afterwards, anyone who reviews the "History" of this access request will be affected by the stored JavaScript code. Users who review the history requests are usually managers who have to approve this request, so this vulnerability allows reliably affecting higher-privileged users. <1-2_trigger_xss.png> Vulnerable / tested versions: ----------------------------- The following version of the on-prem solution has been tested which was the latest version available at the time of the test: * 14.0.14.36 Previous versions of v14.14 hotfix #309 are affected according to the vendor, as well as <v15U1. Vendor contact timeline: ------------------------ 2024-04-08: Contacting vendor through contract@omadaidentity.com; no response. 2024-04-24: Contacting vendor through contract@omadaidentity.com and info@omadaidentity.com; no response. 2024-05-06: Contacting vendor through their "Contact Us" form; We were contacted by Sales and forwarded the email to them. 2024-05-08: CISO contacts us, we sent the advisory via provided Sharepoint link. 2024-05-13: Vendor confirms security issues. XSS is fixed now and hotfixes are created for their releases. Second finding was disputed and seems to be a misconfiguration. Removed issue 2 from advisory. 2024-05-27: Asking for a status update regarding XSS hotfixes. 2024-05-27: Vendor: May cloud update is scheduled for 29th May. On-prem release version v15U1 is planned for 12th June. Hot-fix for on-prem version 14.14 is also planned for 12th June. 2024-06-17: Asking if Hotfix is released 2024-06-21: Vendor: Hotfix #309 for v14.14 is released 2024-06-24: Vendor: asks if we are satisfied with the follow-up We agree and respect the wish to delay the publication of the advisory for at least one month. 2024-10-08: Asking vendor regarding CVE assignment. 2024-10-11: Vendor is waiting for internal confirmation regarding next steps, update hopefully next week. 2024-10-08: Asking for a status update, whether we should assign a CVE. 2024-10-31: Vendor responds with calculated CVSS vectors and asks for our opinions; We agree that the CVSS Base Score looks correct and ask to clarify if they want to register the CVE themselves or if we as a CNA should register it for them. 2024-11-18: Received CVE number from vendor; We provide our CVE details to the vendor and ask them to update the CVE entry. 2024-11-22: Vendor notifies us about the CVE update, gives us a green light for the publication and thanks us for our cooperation; We mention that we will publish it in the following week and also thank the vendor. 2024-11-27: Release of security advisory. Solution: --------- Upgrade to version v15U1 or install hotfix #309 for v14.14. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger / @2024


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top