/
CVE-2023-37827
50 lines (50 loc) · 1.56 KB
/
CVE-2023-37827
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
> A cross-site scripting (XSS) vulnerability in General Solutions Steiner
> GmbH CASE 3 Taskmanagement V 3.3 allows attackers to execute arbitrary
> web scripts or HTML via a crafted payload injected into the
> executionBlockName parameter.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> General Solutions Steiner GmbH
>
> ------------------------------------------
>
> [Affected Product Code Base]
> CASE 3 Taskmanagement - V 3.3
>
> ------------------------------------------
>
> [Affected Component]
> executionBlockName
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker can exploit this vulnerability by injecting arbitrary and potentially
> malicious JavaScript code into the executionBlockName ("Name") field it is then executed when the machining block overview is accessed. When creating an edit block, the "Name" field is vulnerable to the malicious javascript code, which is executed whenever someone edits the edit block, wants to view it or view all edit blocks. Payload: <image src/onerror=prompt(80)>
>
> ------------------------------------------
>
> [Reference]
> https://case.contwise.com/php/portal_case.php
>
> ------------------------------------------
>
> [Discoverer]
> Leon von Sturm zu Vehlingen | Marc Mahlke | Lufthansa Industry Solutions