Lorensbers Ltd’s Connect2 version 3.13.7647.20190. This was the only version available for testing, so other versions were not tested. Other versions could be vulnerable as well.
This resulted in an alert being shown to the user once they entered the first step of the material booking process. Seeing as proof of concept was successful, the consultant used other payloads to show the potential impact of this vulnerability.
In the particular instance that the SureCloud consultant tested, it was found that the HttpOnly flag for session cookies was well configured as well as the CORS policy – it was therefore impossible for the consultant to hijack other user sessions through common methods as these were not accessible through client-side code. The consultant was, however, able to redirect users to arbitrary web pages through the payload demonstrated in the above screenshot which could be used for phishing, drive-by attacks and defamation purposes by redirecting users to undesired webpages with the payload shown in the following screenshot.
It should be noted that all users, including administrators, are affected by this issue.
Since this instance had well configured session cookies with the enabled HttpOnly flag and a strict CORS policy, stealing session cookies through conventional XSS payloads was not feasible. However, using alternative payloads, a malicious actor is able to redirect users to malicious pages where phishing attacks can be performed. Additionally, they can be redirected to pages for drive-by attacks, therefore, infecting the end-users with malware.
Additionally, malicious actors can also use this vulnerability to capture users’ keystrokes by creating a payload that records all keys being pressed by a user and sending the information back to an attacker through HTTP requests to their own web server for example. This could lead to sensitive information being exposed as the booking process may require credit card information to be entered during its last steps to pay for the borrowed materials.
Loresnbergs Ltd. has chosen not to publicly address this issue. It is unknown whether they have done so privately, so the vulnerable version of Connect2 may still be vulnerable even after the publication of this blog post. Developers and system maintainers are advised to implement their own solutions as a temporary mitigation until Lorensbergs Ltd. releases an update with a fix.
21/07/2021 Bug Identified
22/07/2021 Lorensbergs Ltd. contacted to request for appropriate contact for disclosure.
16/09/2021 Lorensbergs Ltd. contacted to notify them of the vulnerability
17/11/2021 CVE number requested, granted and reserved
12/01/2022 Vulnerability published via SureCloud’s blog