La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-45169

CVE-2022-45169 – LiveBox Collaboration vDesk

Vulnerability Description: Redirection to Untrusted Site ('Open Redirect') – CWE-601

Software Version: ≤v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45169

CVSv3: 5.4

Severity: Medium

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

The web application allows an authenticated user to send an arbitrary push notification (including clickable links) to another arbitrary user of the application.

 

Step-by-step instructions and PoC

An authenticated user can send an arbitrary push notification to any other user of the system. The push notification can include an (invisible) clickable link.

The vulnerability can be exploited sending a POST request (including the authentication cookie) to the following vulnerable endpoint:

 

·       https://vdeskbridge.[HOSTNAME]/api/v1/notification/createnotification

 

Payload used to exploit the vulnerability:

Figure 1 – Details of payload

Click To Enlarge

Figure 2 – Details of request and response

Click To Enlarge

Security Impact

Malicious users send arbitrary push notifications to other users, starting phishing attacks or exploiting other XSS vulnerabilities.