CVE Identification and Details

Description

While assessing the Ingenico Estate Manager during a client engagement. It was possible to discover a stored Cross-Site Scripting (XSS) vulnerability in the news feed feature managed by an administrator account. The vulnerability is in the href attribute of a link when a new message is posted. An attacker can leverage this vulnerability to inject malicious Javascript code in the context of the browser of a victim that can be triggered with one click on the link.

Steps to reproduce

An attacker with enough privileges to add a message to the news feed can attach a link to the message as a reference. The link is composed of 2 parts ;the Alias and the URL. The URL part is missing sanitization to prevent injecting javascript code in the href attribute.

https://prod-files-secure.s3.us-west-2.amazonaws.com/5f3b0732-bec1-47d9-83a2-f72ac2192f18/d9da15ef-0384-4d1d-907f-21b347406040/image1.png

As shown in the screenshot above, an XSS payload is injected in the “Link” input field.

The raw HTTP request to post the message looks like below:

https://prod-files-secure.s3.us-west-2.amazonaws.com/5f3b0732-bec1-47d9-83a2-f72ac2192f18/39dc9de0-4d47-4f82-9ab5-d2dc2efdb697/image2.png

The application is using the syntax: message[link_alias|link_URL] as shown above.

Then, when the victim receives the message in the news feed section on the dashboard. The attack payload will look like a normal link as shown below:

https://prod-files-secure.s3.us-west-2.amazonaws.com/5f3b0732-bec1-47d9-83a2-f72ac2192f18/e8be329a-f330-4bfc-b30f-029f3df730fc/image3.png

Upon clicking on the link, the javascript code will be triggered and a popup alert will appear.

https://prod-files-secure.s3.us-west-2.amazonaws.com/5f3b0732-bec1-47d9-83a2-f72ac2192f18/bb103856-710d-463c-92c7-ea2131880a2c/image4.png