Headline
CVE-2022-39172: Stored Cross-Site Scripting in mb Support broker management solution openVIVA c2
A stored XSS in the process overview (bersicht zugewiesener Vorgaenge) in mbsupport openVIVA c2 20220101 allows a remote, authenticated, low-privileged attacker to execute arbitrary code in the victim’s browser via name field of a process.
The product openVIVA c2 of the vendor mb Support is vulnerable against a targeted stored cross-site scripting attack. An authenticated user with the role “user” can create a new process/ticket (“Prozess”) and insert arbitrary JavaScript in the “Name” field because it is not sanitized. Afterwards, an attacker can assign the process to a person mainly responsible (“Hauptverantwortlicher”) which allows them to specify the victim as target.
Vendor description
“Support small and medium-sized companies as well as large corporate customers with just one software. Sales , inventory management , billing , e-mail and much more - with openVIVA c2 you get everything in one application. Without system disruption and in one database, you can do all the work of an insurance broker with one piece of software. Connect brokers, intermediaries, insurers and customers directly with our self-service portals . Strengthen your customer relationships and work more efficiently yourself. mb Support offers portals for intermediaries as well as industrial and commercial customers and tailor-made portal solutions for insurers, brokers and private customers.”
Source: https://mbsupport.de/
**
Business recommendation**
The vendor provides an updated version to their customers.
An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues.
**
Vulnerability overview/description****1) Stored Cross-Site Scripting (CVE-2022-39172)**
An authenticated attacker with privileges of the role ‘user’ can create a new ‘Vorgang’ (Process). The field ‘Name’ is not sanitized and enables an attacker to perform a stored XSS attack. Additionally, the field ‘Hauptverantwortlicher’ (persons mainly responsible) can be used to assign this ‘Vorgang’ to another user who will receive it in his overview list. This results in a targeted stored XSS attack.
**
Proof of concept****1) Stored Cross-Site Scripting (CVE-2022-39172)**
The application is developed on top of Oracle Apex (https://apex.oracle.com/en/) which provides several security features to developers. Two of those are request replay protection and parameter checksumming which make it hard to develop a PoC which only consists of requests and responses. Therefore this PoC will be a textual description of the required steps and supplemented with pictures. Additionally the library ‘AlertifyJS’ is used, which changes the appearance of alert popups which can be confusing if you are used to the standard alert popups.
To execute the attack the following steps have to be performed:
1. Log in to openVIVA c2
2. Go to ‘mein openVIVA’ (my openVIVA)
3. Click on ‘Vorgangszuordnung’ (Process Assignment)
4. Click on ‘Neuen Vorgang starten’ (Start new Process)
5. In the new form enter the XSS payload into the ‘Name’ field, for example “<script>alert(‘XSS’)</script>”
6. Choose your victim as ‘Hauptverantwortlicher’ (persons mainly responsible)
7. Click on the three dots
8. Click on ‘Speichern’ (save)
The victim now has a new ‘Vorgang’ in his inbox. If the ‘Vorgänge’ menu is clicked,the victim is redirected to the list of assigned 'Vorgänge’. Because our payload is in the name field it is executed as soon as the list of processes is loaded.
**
Vulnerable / tested versions**
The following version has been tested and found to be vulnerable:
- openVIVA c2 20220101
**
Vendor contact timeline**
Solution
Upgrade to version 2022-08-01 or later. The vendor has no public download link available as all customers will be patched according to their maintenance contract.
**
Workaround**
None
**
Advisory URL**
sec-consult.com/vulnerability-lab/
EOF Daniel Hirschberger / @2023
Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices
Related news
openVIVA c2 suffers from a persistent cross site scripting vulnerability. Versions prior to 20220801 are affected.