Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Cyber Security

Lorensbergs Connect2 Cross-Site-Scripting

Lorensbergs Connect2 Cross-Site-Scripting
Written by

Ibai Castells

Published on

1 Dec 2021

Lorensbergs Connect2 Cross-Site-Scripting

 

TL:DR:

  • Cross-site scripting vulnerabilities were found in the wizard editor component of Lorensbergs Ltd. Connect2 booking product.
  • The findings have been released under CVE-2021-43960
  • The vulnerability required administrator privileges to be exploited and affected all users of the application, including other administrators.

Summary

Lorensbergs Connect2 is a software to handle the booking process for student resources and services. The software is affected by a cross-site scripting vulnerability that may allow an attacker to steal end user session cookies, redirect them to malicious websites, capture keystrokes, steal sensitive information and perform other malicious activities which can be performed through injecting client-side JavaScript code in the application.

Affected Products

Lorensbers Ltd’s Connect2 version 3.13.7647.20190. This was the only version available for testing, so other versions were not tested. Other versions could be vulnerable as well.

Technical Details

There is a cross-site scripting (XSS) vulnerability present in the Connect2 software. A user with administrator privileges is able to inject JavaScript into the booking system pages using the Wizard functionality within the application. This affects end users as the payloads are executed throughout the material booking process. The payloads can be injected in all of the Wizard form fields and will trigger if the contents of these form fields are rendered throughout the booking process. The vulnerable form fields are all the ones present on the following:

The exploitation process consists of an administrator populating any of the form fields available through the Wizard functionality with malicious JavaScript code. Once this is done, the Save button is clicked and the payloads will be triggered every time a user loads the corresponding step of the booking process that the edited Wizard corresponds to.

As a basic proof of concept, the consultant first attempted to generate a JavaScript alert using a cross-site scripting (XSS) payload being:

<script>alert(“SureCloud XSS”)</script>



This resulted in an alert being shown to the user once they entered the first step of the material booking process. Seeing as proof of concept was successful, the consultant used other payloads to show the potential impact of this vulnerability.

In the particular instance that the SureCloud consultant tested, it was found that the HttpOnly flag for session cookies was well configured as well as the CORS policy – it was therefore impossible for the consultant to hijack other user sessions through common methods as these were not accessible through client-side code. The consultant was, however, able to redirect users to arbitrary web pages through the payload demonstrated in the above screenshot which could be used for phishing, drive-by attacks and defamation purposes by redirecting users to undesired webpages with the payload shown in the following screenshot.

It should be noted that all users, including administrators, are affected by this issue.

Impact

Since this instance had well configured session cookies with the enabled HttpOnly flag and a strict CORS policy, stealing session cookies through conventional XSS payloads was not feasible. However, using alternative payloads, a malicious actor is able to redirect users to malicious pages where phishing attacks can be performed. Additionally, they can be redirected to pages for drive-by attacks, therefore, infecting the end-users with malware.

Additionally, malicious actors can also use this vulnerability to capture users’ keystrokes by creating a payload that records all keys being pressed by a user and sending the information back to an attacker through HTTP requests to their own web server for example. This could lead to sensitive information being exposed as the booking process may require credit card information to be entered during its last steps to pay for the borrowed materials.

Last words

Loresnbergs Ltd. has chosen not to publicly address this issue. It is unknown whether they have done so privately, so the vulnerable version of Connect2 may still be vulnerable even after the publication of this blog post. Developers and system maintainers are advised to implement their own solutions as a temporary mitigation until Lorensbergs Ltd. releases an update with a fix.

Disclosure time

21/07/2021        Bug Identified

22/07/2021        Lorensbergs Ltd. contacted to request for appropriate contact for disclosure.

16/09/2021        Lorensbergs Ltd. contacted to notify them of the vulnerability

17/11/2021        CVE number requested, granted and reserved

12/01/2022        Vulnerability published via SureCloud’s blog