When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim’s browser. This is due to a fault in the file login.php where the content of “$_SERVER[‘PHP_SELF’]” is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue.
[
{
"defaultStatus": "affected",
"product": "HAWKI",
"repo": "https://github.com/HAWK-Digital-Environments/HAWKI",
"vendor": "Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany",
"versions": [
{
"status": "affected",
"version": "versions before commit 146967f",
"versionType": "custom"
}
]
}
]