KnowBe4 Security Awareness Training Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the KnowBe4 Security Awareness Training application, affecting versions prior to January 10, 2020. This vulnerability allows an attacker to execute remote JavaScript in the context of the user's browser by sending a specially crafted GET request. The injection point is located in the URL path of the phishing demonstration page.

Impact

Exploitation of this vulnerability could lead to the execution of malicious scripts in the user's browser, potentially compromising the confidentiality of the KnowBe4 SAT application and allowing for further exploitation of the user's system.

Reproduction

To reproduce this vulnerability, send a GET request to the KnowBe4 Security Awareness Training application with a payload that includes a JavaScript URL. The response will include a SCRIPT element that executes the payload, such as an alert displaying the document.domain.