Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022090038

Below is a copy:

Genesys PureConnect - Interaction Web Tools XSS
Product: Genesys PureConnect - Interaction Web Tools Chat Service
Description: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.
Vulnerability Type: XSS
Vendor of Product: Genesys PureConnect
Affected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current release (26-September-2019)
Affected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdf
Attack Vectors:
To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html 
Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script>
Then press 'Start Chat'
Then enter anything in the chat box like 'asdfg' and press send
Now select the 'Printable Chat History' in the top right corner
XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html" 

I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.