XSS Vulnerability in Good for Enterprise iOS Application

vendor:

Good for Enterprise iOS Application

by:

Mario

8,8

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: Good for Enterprise iOS Application

Affected Version From: 2.2.2.1611

Affected Version To: 2.2.4.1659

Patch Exists: YES

Related CWE: CVE-2013-5118

CPE: a:good_technology:good_for_enterprise_ios_application

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iOS

2013

XSS Vulnerability in Good for Enterprise iOS Application

HTML Email including the following payload will execute Javascript statements when the victim open the email using the vulnerable version. Payload: <body> <div> <script>alert('XSS Here')</script> </div> </body>

Mitigation:

Update the 'Good for Enterprise' iOS application to 2.2.4.1659 or newer

Source

Exploit-DB raw data:

The vulnerable versions are v2.2.2.1611 and earlier
 
Proof of Concept:
HTML Email including the following payload will execute Javascript statements when the victim open the email using the vulnerable version.
 
Payload:
<body>
<div>
<script>alert('XSS Here')</script>
</div>
</body>
 
Remediation:
I worked with the Good people to close the issue, I provided some guidance and feedback and agreed with them to not disclose it until they fix it.

The new release is now available:
Update the "Good for Enterprise" iOS application to 2.2.4.1659 or newer
 
References:
https://www.roblest.com/#research:CVE-2013-5118 

Can the comunity please provide feedback and comments in order to ensure the fix is working well

Many thanks

Mario