Headline
CVE-2023-34637: IsarFlow vulnerabilities
A stored cross-site scripting (XSS) vulnerability in IsarNet AG IsarFlow v5.23 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the dashboard title parameter in the IsarFlow Portal.
Stored Cross-site Scripting
A stored cross-site scripting vulnerability was found in the IsarFlow software version 5.23 (or earlier) of IsarNet Software Solutions GmbH. We have reported this vulnerability to the software vendor, who immediately addressed the issue and fixed the vulnerability in versions 5.25.14 and 5.26.4.
Description
The dashboard title is not encoded properly in all places and is susceptible to stored cross-site scripting.
Upon opening the “delete dashboard” dialog, the JavaScript-Code gets executed.
Additionally, the “User dashboard” menu provides an admin with the ability to browse and edit all user generated dashboards. This view does also not encode the dashboard title, resulting in the executing of the payload and can therefore be used to target higher privileged user accounts.
Affected Component
IsarFlow Portal
Attack Type
Remote
Attack vectors
To exploit the vulnerability, an attacker needs access to the application.
Reference
TBA
Discoverer
Max Maier (mgm security partners), Benedikt Haußner (mgm security partners)