Microcom ZeusWeb Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the ZeusWeb application by Microcom, specifically in version 6.1.31. The issue allows an attacker to inject arbitrary JavaScript by placing an XSS payload in the 'Surname' field during the 'Create Account' process. This vulnerability can be exploited through a specific URL with a query parameter that activates the injection.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the ZeusWeb application at 'https://zeus.microcom.es:4040/index.html?zeus6=true'. Navigate to the 'Create Account' section and inject a JavaScript payload into the 'Surname' parameter. Once the account is created, the injected script will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Microcom has released a patched version 6.2.5, which addresses this vulnerability. Users do not need to take any action, as the update has been applied automatically in the cloud-based service.