MOV.AI Robotics Engine 2.2.3-3 Cross Site Scripting

Vendor Name: MOV.AIProduct Name: MOV.AI Robotics EngineVendor Home Page:  https://www.mov.aiAffected Version(s): MOV.AI Robotics Engine v2.2.3-3Patch Release: MOV.AI Robotics Engine v2.2.3-4Patched Version Release: 22 September 2022Vulnerability Type: Reflected XSS (CWE-79)CVE Reference: CVE-2022-46620Author of Advisory: Thurein SoeVendor Description:MOV.AI is a Robotics Engine platform based on ROS. It is packaged in anintuitive web-based interface to develop autonomous mobile robots (AMRs)and automated guided vehicles (AGVs). It integrates with navigation,localization, calibration, and the enterprise-grade tools they need foradvanced automation.Vulnerability description:Post Reflected cross-site scripting (XSS) vulnerability in MOV.AI RoboticsEngine v2.2.3-3 version allowing an attacker to execute arbitraryjavascript in the context of RCS application due to inadequate sanitizationof user-supplied data. During the Assessment, it was possible to sendarbitrary JavaScript, and the server returned as part of an applicationresponse body due to insufficient input validation.Vulnerable Parameters:dashboard/users/admin2dashboard/groupsAdminBoardImpact:Cross-Site Scripting issues occur when an application uses untrusted datasupplied by untrusted users in a web browser without sufficient priorvalidation or escaping. A potential attacker can embed untrusted codewithin a client-side script to be executed by the browser whileinterpreting the page. Attackers utilize XSS vulnerabilities to executescripts in a legitimate user's browser leading to user credentials theft,session hijacking, website defacement, or redirection to malicious sites.References:https://www.immuniweb.com/vulnerability/cross-site-scripting.htmlDisclosure Timeline:06 July 2022: Found security vulnerability during a security assessment08 July 2022: Customer reported finding a security vulnerability to MOV.AI15 September 2022: further details of remediation steps sent to MOV.AI22 September 2022: Patch released for MOV.AI Customer by MOV.AICredits:Thurein Soe