Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection

vendor:

Thinfinity VirtualUI

by:

Daniel Morales

9.8

CVSS

CRITICAL

IFRAME Injection

CWE

Product Name: Thinfinity VirtualUI

Affected Version From: 2.1.37.2

Affected Version To: 2.5.41.0

Patch Exists: YES

Related CWE: CVE-2021-45092

CPE: a:cybelesoft:thinfinity_virtualui

Metasploit:

Other Scripts:

Tags: packetstorm,iframe,thinfinity,tenable,cve,cve2021,injection

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://github.com/cybelesoft/virtualui/issues/2, https://nvd.nist.gov/vuln/detail/CVE-2021-44848, https://www.tenable.com/cve/CVE-2021-45092, http://packetstormsecurity.com/files/166068/Thinfinity-VirtualUI-2.5.41.0-IFRAME-Injection.html

Nuclei Metadata: {'max-request': 1, 'vendor': 'cybelesoft', 'product': 'thinfinity_virtualui'}

Platforms Tested: Microsoft Windows

2021

Thinfinity VirtualUI 2.5.41.0 – IFRAME Injection

By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed). The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com" where "vpath=//" is the pointer to the external site to be iframed.

Mitigation:

Update to version 3.0 or later of Thinfinity VirtualUI.

Source

Exploit-DB raw data:

Exploit Title: Thinfinity VirtualUI 2.5.41.0  - IFRAME Injection
Date: 16/12/2021
Exploit Author: Daniel Morales
Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/>
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
CVE: CVE-2021-45092

How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).

Payload
The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.

Vulnerable versions
It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.

References
https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2>
https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092>
https://twitter.com/danielmofer <https://twitter.com/danielmofer>