Sofico Miles RIA 2020.2 Build 127964T Cross Site Scripting Vulnerability

=======================================================================
               title: Stored Cross Site Scripting
             product: Sofico Miles RIA
  vulnerable version: 2020.2 build 127964T
       fixed version: 2020.2 build 128076 or higher
          CVE number: CVE-2021-41557
              impact: Medium
            homepage: https://www.sofico.global
               found: 2021-07-09
                  by: Oualid Lkhaouni (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Sofico is the world’s leading supplier of mission-critical software solutions
for automotive finance, leasing, fleet, and mobility management companies,
and its software is used by a broad range of renowned leasing companies
all over the world."

Source: https://www.sofico.global/en/about-sofico


Business recommendation:
------------------------
SEC Consult recommends updating to the latest version of Sofico Miles RIA.

An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Stored Cross Site Scripting (CVE-2021-41557)
Miles RIA is a software solution by Sofico that allows leasing companies to manage
their leasing services on a single platform.

The Miles RIA application is vulnerable to Stored Cross-Site Scripting (XSS).
An attacker with access to a user account of the RIA IT or the Fleet role
can create a malicious work order in the damage reports section or change
existing work orders with malicious JavaScript.


Proof of concept:
-----------------
1) Stored Cross Site Scripting (CVE-2021-41557)
The following payload can be used for the insecure work order number
parameter of pending work orders in the damage reports section to inject
and execute malicious JavaScript in the context of the victim.
Once the victim visits the malicious work order, the attacker-controlled
input gets reflected in the lower left context menu of the loaded webpage:

1000 <img src=x onerror=alert(document.domain)>

This JavaScript code will then automatically get executed when the site
which contains the payload is visited by the victim.


Vulnerable / tested versions:
-----------------------------
The following software version has been tested and found to be vulnerable:
* Miles RIA 2020.2 build 127964T

It is unknown whether previous versions are affected, as the vendor did not
supply this information.


Vendor contact timeline:
------------------------
2021-07-26: Contacting vendor through [email protected]; No answer.
2021-08-24: Contacting vendor through [email protected]; No answer.
2021-09-21: Contacting vendor through [email protected] and [email protected]; No answer.
2021-11-04: Informing vendor about public advisory release on 9th November 2021.
2021-11-08: Received info from 3rd party about patches.
2021-11-24: Informing vendor about public advisory release on 29th November 2021.
2021-11-24: Received more detailed info from 3rd party about patches.
2021-12-01: Coordination call with vendor.
2021-12-13: Coordinated release of security advisory.


Solution:
---------
The vendor provides patches for the affected product versions:
* Miles RIA 2020.2 build 128076 or higher