Inetum IODAS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Inetum IODAS versions 7.2-LTS.4.1-JDK7 and 7.2-RC3.2-JDK7. The issue arises from an unknown function in the file '/astre/iodasweb/app.jsp', where the 'action' argument is not properly validated or encoded. This flaw allows remote attackers to inject malicious JavaScript that is executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the victim's browser. This could lead to actions being performed on behalf of the user, theft of session tokens, UI defacement, redirection to malicious websites, social engineering attacks, or unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, send a request to '/astre/iodasweb/app.jsp' with the 'action' parameter manipulated to include an image tag (with an invalid image source) using an 'onerror' event. This will trigger the cross-site scripting vulnerability by executing the JavaScript code in the victim's browser.

Remediation

It is recommended to sanitize and properly encode all user input, implement a Content Security Policy, consider using the 'HttpOnly' and 'Secure' flags on cookies, and review Web Application Firewall settings and behavior across all application versions.