WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)

vendor:

WebCTRL OEM

by:

3ndG4me

6.1

CVSS

MEDIUM

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: WebCTRL OEM

Affected Version From: 6.5

Affected Version To: 6.5

Patch Exists: YES

Related CWE: CVE-2021-31682

CPE: a:automated_logic:webctrl_oem

Metasploit:

Other Scripts:

Tags: cve,cve2021,webctrl,xss,packetstorm

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://nvd.nist.gov/vuln/detail/CVE-2021-31682, https://github.com/3ndG4me/WebCTRL-OperatorLocale-Parameter-Reflected-XSS, https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/, http://packetstormsecurity.com/files/164707/WebCTRL-OEM-6.5-Cross-Site-Scripting.html

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'html:"/_common/lvl5/dologin.jsp"', 'vendor': 'automatedlogic', 'product': 'webctrl'}

Platforms Tested:

2021

WebCTRL OEM 6.5 – ‘locale’ Reflected Cross-Site Scripting (XSS)

The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization.

Mitigation:

Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.

Source

Exploit-DB raw data:

# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)
# Date: 4/07/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/
# Version: 6.5 and Below
# CVE : CVE-2021-31682

--Summary--

The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. 

Automated Logic
https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/

--Affects--

- WebCTRL OEM
- Versions 6.5 and prior

--Details--

The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:

- Hijacking a user's session
- Using XSS payloads to capture input (keylogging)


-- Proof of Concept --
The following URL parameter was impacted and can be exploited with the sample payload provided below:
- https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script> 

--Mitigation--

Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.

--Timeline--

- 4/07/2021: XSS Vulnerability was discovered and documented. 
- 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
- 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
- 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
- 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.