IsarFlow stored cross-site scripting vulnerability

A stored cross-site scripting vulnerability was found in the IsarFlow software version 5.23 (or earlier) of IsarNet Software Solutions GmbH. We have reported this vulnerability to the software vendor, who immediately addressed the issue and fixed the vulnerability in versions 5.25.14 and 5.26.4.

Description

The dashboard title is not encoded properly in all places and is susceptible to stored cross-site scripting.

Upon opening the “delete dashboard” dialog, the JavaScript-Code gets executed.

Additionally, the “User dashboard” menu provides an admin with the ability to browse and edit all user generated dashboards. This view does also not encode the dashboard title, resulting in the executing of the payload and can therefore be used to target higher privileged user accounts.

Affected Component

IsarFlow Portal

Attack Type

Remote

Impact Code Execution

True

Attack vectors

To exploit the vulnerability, an attacker needs access to the application.

Reference

TBA

Discoverer

Max Maier (mgm security partners), Benedikt Haußner (mgm security partners)