MyNET Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in MyNET versions through 26.08. This vulnerability allows attackers to execute arbitrary code in the context of a user's browser by injecting a crafted payload into various unsanitized HTTP parameters. The exploitation of this vulnerability can lead to parameter pollution, where the injected payload disrupts the normal processing of the application's parameters.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a link to the victim that includes a payload injected into one of the following parameters: 'msg', 'src', 'ficheiro', or 'intmenu'. The injected payload can be crafted to execute JavaScript, such as an alert or a confirmation dialog, when the link is clicked.