SQL Monitor 12.1.31.893 Cross Site Scripting

# Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC]# Exploit Author: [[email protected]]# Vendor Homepage: [https://www.red-gate.com/]# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]# Version: [SQL Monitor 12.1.31.893]# Tested on: [Windows OS]# CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl inhttps://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker tohijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious AHTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.