Vanderlande Baggage 360 Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Vanderlande Baggage 360 version 7.0.0. The issue arises in the web application's messaging feature, where the endpoint '/api-addons/v1/messages' accepts HTML input in the 'message' field. This input is stored and later rendered in the user interface without proper escaping, allowing injected JavaScript to execute in the context of the application. The vulnerability can be exploited remotely by authenticated users with low privileges.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the application context, potentially leading to session hijacking and unauthorized actions within the user interface.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the 'Messages' section of the 'Interterm Bag Journey Details'. After intercepting the request to add a message, the user can replace the message content with an XSS payload, such as an image tag with an 'onerror' event. Once the request is submitted, the payload will execute when the message is viewed.

Remediation

To address this vulnerability, it is recommended to sanitize the 'message' field by removing JavaScript event handlers, blocking certain HTML tags that can execute scripts, and properly encoding HTML before rendering. Additionally, tests should be implemented to ensure that common XSS vectors are neutralized.