[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Connect-app (CDU) Version: 3.8 - Cross Site Scripting

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Connect-app (CDU) Version: 3.8 - Cross Site Scripting
From: merion44 via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Wed, 04 Aug 2021 11:01:00 +0000

app: connect-app (cdu) (version: 3.8)

cross-site scripting in the registration form name variables. Remote attackers
can inject js payloads as name variables to exploit the frontend in the profile
view and potentially execute in the backend via the preview. Uncertainty in
validating object names in outbound emails, causing the context to be validated
insecurely. This allows reflected execution in the message body of the email
where the name variable is visible. You can see in the main validation how the
developers have tried to parse and encode the content with backslashes and
other characters. In this way, the type of validation can easily be bypassed by
using simple frames with a source that points to a external link. We have
tested this in the portal where the code is executed, we have tested it in the
outgoing service emails that insert the name variably in the email body, and we
have also tested the stored content that was submitted via the API. All
contents was transmitted insecurely and can be manipulated
to trigg
er simple cross-site scripting payloads, hijack user session credentials or
manipulate outbound emails with reflected malicious content on the application
side.

We decided to bring the issue directly to the public after the CDU opened a
court case to criminalise a German hacker following a Whitehat report. Normally
we wanted to report the vulnerabilities directly via Responsible Disclosure,
but were deterred by incidents mentioned above. These did not stop us but we
therefore chose another way to make noise.

ref:
https://www.golem.de/news/connect-app-cdu-verklagt-offenbar-hackerin-nach-melden-von-luecken-2108-158647.html

ref:
https://www.golem.de/news/connect-app-cdu-nimmt-wahlkampf-app-nach-datenleck-offline-2105-156471.html

greetz to cdu
by team smackback

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Spammers Using storage[.]googleapis[.]com ?!!?
Next by Date: [FD] Constructor.Win32.SS.11.c / Unauthenticated Open Proxy
Previous by thread: [FD] Backdoor.Win32.WinShell.40 / Unauthenticated Remote Command Execution
Next by thread: [FD] Constructor.Win32.SS.11.c / Unauthenticated Open Proxy
Index(es):
- Date
- Thread