Summary
Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context.
Impact
This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages.
Patches
This vulnerability has been fixed in v3.4.1.
Workarounds
N/A
References
Timeline
- 03-12-2023: XSS in DECT number and mobile number reported by Skruppy
- 03-12-2023: Begin patch development and start audit of all input fields throughout the codebase
- 04-12-2023: Push efda1ff as rc for v3.4.1 addressing the reported vulnerabilities
- 05-12-2023: XSS in work log reported by Skruppy (This vulnerability was independently found while auditing all input fields and is fixed in commit efda1ff already)
- 06-12-2023: Released v3.4.1 containing fixes for the reported vulnerabilities
Summary
Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context.
Impact
This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages.
Patches
This vulnerability has been fixed in v3.4.1.
Workarounds
N/A
References
Timeline