Lucene search
Daniel Morales1337DAY-ID-37397HistoryFeb 21, 2022 - 12:00 a.m.
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Vulnerability
2022-02-2100:00:00
Daniel Morales
0day.today
197
0.058 Low
EPSS
Percentile
93.4%
Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
Exploit Author: Daniel Morales
Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/>
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
CVE: CVE-2021-45092
How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).
Payload
The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.
Vulnerable versions
It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.
References
https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2>
https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092>
https://twitter.com/danielmofer <https://twitter.com/danielmofer>
Related
packetstorm
packetstorm
Thinfinity VirtualUI 2.5.41.0 IFRAME Injection
2022-02-21 00:00:00
nvd
nvd
CVE-2021-45092
2021-12-16 04:15:06
prion
prion
Design/Logic Flaw
2021-12-16 04:15:00
cvelist
cvelist
CVE-2021-45092
2021-12-16 03:07:32
cve
cve
CVE-2021-45092
2021-12-16 04:15:06
exploitdb
exploitdb
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
2022-02-21 00:00:00
nuclei
nuclei
Thinfinity Iframe Injection
2021-12-18 09:02:44