Ericsson ECM (Enterprise Content Management) solution Vulnerable to Stored XSS. ( CVE-2021-41391)

By -

 Dear Reader,

I was able to identify stored XSS in Ericsson ECM (Enterprise Content Management) solution Version: 18.0 (0331) R1E 

CVE ID: CVE-2021-41391

Below are its details:


# Software description:
Ericsson Catalog Manager allows customers to rapidly launch and enable new innovative offerings with simple user experience and enterprise product, service & resource catalog capabilities. 

# Technical Details & Impact:

It was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef framework.

# POC
  1. Login as normal user in ECM 
  2. Click on User Profile Management and click on Preference Definition or just visit this URL "https://host:port/ecm/securityManagement " change the host/port to your ECM host/port
  3. Edit or create new Preference Definition
  4.  In Name field write anything, in label field write your malicious script. For test case we used only alert('XSS') as show below
  5. Click on Save button 
Your script is stored and will be executed on All users of ECM platform as shown below. 



Vulnerability has been reported to Ericsson and is fixed in latest version after 18.0.

Thanks

Comments

Post a Comment

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...
Read more

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -
Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...
Read more

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)

By -
Image
This post is related to CSV injection in netskope Admin UI (Version 75.0) where an unauthenticated user can inject malicious payload in audit logs of admin portal and once the admin extract and open the report, the malicious payload will be executed. CVE ID : CVE-2020-28845 Test case : The audit logs consist of login attempts which includes username, for test case I have injected a non-malicious payload in username field, this payload was reflecting in audit logs and was executed once we download and open the report. Exploitation :  In below screenshot you can see a sample csv injection payload and a dummy password. To verify if our payload is reflecting in Audit logs of admin portal, we logged-in as an admin and in below screenshot our payload can be seen    Admin of Netskope admin extracted and downloaded the report.  Admin opens the downloaded reported and our payload got executed. This Vulnerability has been fixed now in the latest version of NetSkope and CVE ID ...
Read more