[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2018-15528] Reflected XSS in Java System Solutions SSO Plugin 4.0.13.1 for BMC MyIT
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2018-15528] Reflected XSS in Java System Solutions SSO Plugin 4.0.13.1 for BMC MyIT
- From: mamurch@xxxxxxxxxxx
- Date: Mon, 20 Aug 2018 08:03:52 GMT
Title:
======
Reflected XSS in Java System Solutions SSO Plugin 4.0.13.1 for BMC MyIT
Description:
============
Reflected Cross-Site Scripting in Java System Solutions' BMC MyIT SSO Plugin
version 4.0.13.1 was identified during a penetration test. Other versions might
be affected as well. A remote attacker can abuse this issue to inject
client-side scripts into the "select_sso()" function. The payload is triggered
when the victim opens a prepared link and hits the "Login" button.
Proof-of-concept:
=================
Open
https://<hostname>/ux/jss-sso/arslogin?javascript:alert(%27Deloitte%20XSS%20PoC%27)
and hit the "Login" button.
Affected function:
==================
function select_sso() {
console.log('SSO login');
id('loginForm').action= 'javascript:alert(%27Deloitte%20XSS%20PoC%27)';
id('username').name= 'username';
id('password').name= 'password';
usingsso(true);
Solution:
=========
Contact vendor for fix.
Disclosure Timeline:
====================
2018-07-17: Vulnerability discovered
2018-07-17: Vulnerability reported to manufacturer
2018-07-17: Response from manufacturer that vulnerability is known and has been
fixed, but refused to provide any details
2018-08-09: Requested CVE ID from MITRE; CVE-2018-15528 was reserved
2018-08-20: Public disclosure of vulnerability & notification to manufacturer
Credits:
========
This security vulnerability was found by Marco Murch of Deloitte GmbH.
E-Mail: mamu[DELETE_ME_:-)]rch[at]deloitte[dot]de