The Ericom PowerTerm WebConnect login portal unsafely writes values from the 'AppPortal' cookie into the page source, permitting arbitrary Javascript execution.
Portal credentials can be captured via cross-site scripting.
To persist the login form fields, the Ericom portal sets the 'AppPortal' cookie and populates it with POST data from the last failed login attempt. Because of that behavior, a malicious cookie can be set from an attacker-controlled domain by using cross-site request forgery to submit a failed login request. If a victim views an attacker's webpage a single time, an attacker can trigger an exploit chain that may result in the theft of Active Directory credentials.
CVE-2022-29152
The vendor has not responded to responsible disclosure.
Ryan Emmons - CBI
- 2 April 2022 - A ticket was created with the vendor and an autoreply was received.
- 15 April 2022 - No follow-up from the vendor after two weeks, so the issue is being publicly disclosed.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29152