Explorance Blue Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Explorance Blue version 8.1.2. This issue allows attackers to inject arbitrary JavaScript that executes in the context of the user's browser. The vulnerability arises from insufficient input validation in the Group Name and Project Description fields, as well as the Details and Option input fields.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the victim's browser, potentially leading to session hijacking, redirection to malicious sites, content defacement, or theft of sensitive information.

Reproduction

To reproduce this vulnerability, create a new project in Explorance Blue 8.1.2. For reflected XSS, insert an XSS payload into the Project Description and Group Name fields. For stored XSS, add a new question in the survey and insert an XSS payload into the Details and Option fields. Once saved and published, the JavaScript will execute in the victim's browser.

Remediation

Users are advised to apply input validation and output encoding on all user-supplied fields. Additionally, a Content Security Policy (CSP) should be implemented to restrict the execution of untrusted scripts. Explorance should provide a patch update, as no vendor fix is currently available.