The fix for this issue was to remove the ‘getExclusionsProfiles’ method from the Settings Exclusion plugin.
XSS Vulnerability in Cynet 360 Web Portal before v4.5.1 was discovered in the /echo endpoint which can be leveraged by remote attackers to inject and run arbitrary code.
To exploit this issue, an attacker would first have to convincing a user to click a malicious link in an email. The second step is to enter the URL in a browser and press enter.
After successfully logging into your system, remote attackers can access sensitive information and launch other attacks.
CVE-2023-27968
The fix for this issue was to remove the ‘getExclusionsProfiles’ method from the Settings Exclusion plugin.
Weakness in the Website:
The website had a weakness that allowed for cross-site scripting vulnerabilities. If a user was sufficiently motivated, they could send an email to colleagues or friends with a malicious link. After the user clicks on the link and visits the website in their browser, the attacker would be able to inject and run code in that session.
In this particular case, the vulnerability was discovered on an endpoint within the system that would automatically update other pages of your site. It was possible for remote attackers to exploit this particular endpoint by convincing users to click a malicious link found in an email.
Mitigation Strategies
Cynet 360 Web Portal is a portal that allows users to manage their internet service provider accounts. It also allows them to view the status of their account and perform certain actions, such as deleting the account.
The company recently released an update that fixes a vulnerability in the application which allowed a remote attacker with administrator privileges to inject and run arbitrary code. The vulnerability was found in the /echo endpoint which can be leveraged by remote attackers to inject and run arbitrary code.
This vulnerability is due to insufficient input validation on the endpoint, making it possible for attackers to spoof requests and cause malicious behavior.
Timeline
Published on: 09/08/2022 16:15:00 UTC
Last modified on: 09/12/2022 14:07:00 UTC