Exploits / Vulnerability Discovered : 2021-10-29 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Webctrl oem 6.5 locale reflected crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized.
The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:
- Hijacking a user's session
- Using XSS payloads to capture input (keylogging)
-- Proof of Concept --
The following URL parameter was impacted and can be exploited with the sample payload provided below:
- https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script>
--Mitigation--
Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
--Timeline--
- 4/07/2021: XSS Vulnerability was discovered and documented.
- 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
- 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
- 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
- 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.