Reflected Cross-Site Scripting in businesscenter.kaiza.la
MediumSynopsis
Tenable discovered a cross-site scripting vulnerability in the url parameter of https://businesscenter.kaiza.la/consoleTab/popupTransactionStart.html. This can lead to an attacker gaining arbitrary javascript execution in the context of a victim's browser if they convince said victim to follow a malicious link.
As most subdomains of kaiza.la trust *.kaiza.la for cross-origin requests, this could potentially be leveraged for further impact. For example, a more complicated payload could leverage the page https://webapp.kaiza.la/assets/actionboot.html to load content from a custom kaizala action which allows the reflected XSS to steal authentication tokens for the webapp.kaiza.la domain if the victim is currently logged into webapp.kaiza.la.
The vulnerability exists because the url parameter is passed unsanitized to window.location.href, so passing an argument like javascript:alert(1);// will trigger the execution of javascript while still in the context of the businesscenter.kaiza.la domain, the ;// commenting out any additional text from the original source code in the context of the malicious javascript uri passed.
Proof of Concept:
Prior to being fixed, visiting the following link would trigger a reflected XSS payload:
https://businesscenter.kaiza.la/consoleTab/popupTransactionStart.html?url=javascript:alert(document.domain)%3b%2f%2f
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Evan Grant
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
businesscenter.kaiza.la
Medium