Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Date: 16/12/2021 Exploit Author: Daniel Morales Vendor: https://www.cybelesoft.com Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ Version: Thinfinity VirtualUI < v3.0 Tested on: Microsoft Windows CVE: CVE-2021-45092 How it works By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed). Payload The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com " where "vpath=//" is the pointer to the external site to be iframed. Vulnerable versions It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0. References https://github.com/cybelesoft/virtualui/issues/2 https://www.tenable.com/cve/CVE-2021-45092 https://twitter.com/danielmofer