NesterSoft WorkTime Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in NesterSoft WorkTime versions through 11.8.8. The issue arises in the server API endpoint '/report/internet/urls', which reflects received data in the HTML response without adequate encoding or filtering. This flaw enables an attacker to execute arbitrary JavaScript in the victim's browser, provided the victim opens a specially crafted URL.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/report/internet/urls' endpoint. Include a 'type' parameter in the request body with a JavaScript payload, such as a script tag containing JavaScript code, such as an alert. The injected payload will be reflected in the response without proper sanitization, executing the JavaScript in the victim's browser.