LISTSERV 17 - Reflected Cross Site Scripting (XSS)

vendor:

LISTSERV

by:

Shaunt Der-Grigorian

6.1

CVSS

MEDIUM

Reflected Cross Site Scripting (XSS)

CWE

Product Name: LISTSERV

Affected Version From: 17

Affected Version To: 17

Patch Exists: YES

Related CWE: CVE-2022-39195

CPE: a:lsoft:listserv:17

Metasploit:

Other Scripts:

Tags: cve,cve2022,xss,listserv,packetstorm

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://packetstormsecurity.com/files/170552/LISTSERV-17-Cross-Site-Scripting.html, https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L, https://packetstormsecurity.com/2301-exploits/listserv17-xss.txt, https://nvd.nist.gov/vuln/detail/CVE-2022-39195

Nuclei Metadata: {'max-request': 2, 'shodan-query': 'http.html:"LISTSERV"', 'verified': True, 'vendor': 'lsoft', 'product': 'listserv'}

Platforms Tested: Windows Server 2019

2022

LISTSERV 17 – Reflected Cross Site Scripting (XSS)

A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.

Mitigation:

This vulnerability can be mitigated by going under "Server Administration" to "Web Templates" and editing the BODY-LCMD-MESSAGE web template. Change &+CMD; to &+HTMLENCODE(&+CMD;); .

Source

Exploit-DB raw data:

# Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting (XSS)
# Google Dork: inurl:/scripts/wa.exe
# Date: 12/01/2022
# Exploit Author: Shaunt Der-Grigorian
# Vendor Homepage: https://www.lsoft.com/
# Software Link: https://www.lsoft.com/download/listserv.asp
# Version: 17
# Tested on: Windows Server 2019
# CVE : CVE-2022-39195

A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.

To reproduce, please visit
http://localhost/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(1)%3C/script%3E
(or whichever URL you can use for testing instead of localhost).

The "c" parameter will reflect any value given onto the page.

# Solution
This vulnerability can be mitigated by going under "Server Administration" to "Web Templates" and editing the BODY-LCMD-MESSAGE web template. Change &+CMD; to &+HTMLENCODE(&+CMD;); .