CVE-2022-27662

Vulnerability Description: Stored Client-Side Template Injection-CWE-1336
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27662
CVSv3: 4.8
Severity: Medium
Credits: Valerio Alessandroni, Matteo Brutti, Massimiliano Brolli

In Traffix Signal Delivery Controller 5.1.0 and 5.2.0, stored client-side template injection (CSTI) was possible, which could lead to code execution.

Step-by-step instructions and PoC

An authenticated remote user can inject arbitrary code aiming to exploit the template engine to execute malicious javascript code on browsers which visit infected pages.

Affected Endpoints

• URL: https://[host]/MgmtConsole/mgmtconsole/rest/administration/QDEARM002/snmp/AddSnmpProfile
• HTTP Parameter: User Name

Malicious javascript code is injected through the parameter “User Name”, inserting an operation (e.g., in this case {{7*7}} ) to be executed by the victim’s browser as shown below:

The previously injected malicious code is stored within the page and executed as the page is loaded in the browser.