Lucene search
Daniel MoralesPACKETSTORM:166068HistoryFeb 21, 2022 - 12:00 a.m.
Thinfinity VirtualUI 2.5.41.0 IFRAME Injection
2022-02-2100:00:00
Daniel Morales
packetstormsecurity.com
160
0.058 Low
EPSS
Percentile
93.4%
`Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
Date: 16/12/2021
Exploit Author: Daniel Morales
Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/>
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
CVE: CVE-2021-45092
How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).
Payload
The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.
Vulnerable versions
It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.
References
https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2>
https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092>
https://twitter.com/danielmofer <https://twitter.com/danielmofer>
`
Related
nvd
nvd
CVE-2021-45092
2021-12-16 04:15:06
prion
prion
Design/Logic Flaw
2021-12-16 04:15:00
zdt
zdt
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Vulnerability
2022-02-21 00:00:00
cvelist
cvelist
CVE-2021-45092
2021-12-16 03:07:32
cve
cve
CVE-2021-45092
2021-12-16 04:15:06
exploitdb
exploitdb
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
2022-02-21 00:00:00
nuclei
nuclei
Thinfinity Iframe Injection
2021-12-18 09:02:44