Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2020-7337 | CWE-79 | $500 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2022-09-15 |
Product: Genesys PureConnect - Interaction Web Tools Chat Service Description: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter. Vulnerability Type: XSS Vendor of Product: Genesys PureConnect Affected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current release (26-September-2019) Affected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdf Attack Vectors: To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script> Then press 'Start Chat' Then enter anything in the chat box like 'asdfg' and press send Now select the 'Printable Chat History' in the top right corner XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html" I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.
Copyright ©2024 Exploitalert.