CVE Identification and Details

• Vendor: Ingenico
• Product: The Estate Manager
• Affected Endpoint: POST /emgui/rest/preferences/PREF_HOME_PAGE/sponsor/3/
• Vulnerable Parameters: url
• Vulnerability Type: Self Reflected Cross-Site Scripting (XSS)

Reproduction of the Attack

The following steps were used to identify and confirm the self reflected XSS vulnerability in the url parameter of the POST request to the affected endpoint. The testing was conducted using Burp Suite.

Step 1: Adding a New Widget with the XSS Payload

1. Description: When the user attempts to add a new widget to the dashboard (Add favorite), they enter the name and the URL. The url parameter is vulnerable, allowing for XSS payload injection. The following payload was used:
   • Payload: javascript:alert(1)

Figure 1: The payload is entered in the UI.

Step 2: Crafting the POST Request with the XSS Payload

1. Description: The POST request was crafted and sent using Burp Suite, with the XSS payload included in the url parameter.
2. Observation: The POST request added the new widget to the home page.

Figure 2: The POST request with the XSS payload in Burp Suite.

Step 3: Triggering the XSS Payload

1. Description: After the POST request, the new widget appears on the home page at the endpoint /emgui/mvc/vue/home.
2. Observation: Clicking on the newly added item triggers the JavaScript alert 1, confirming the XSS vulnerability.