CobbleStone Software Enterprise Contract Management Portal Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CobbleStone Software's Enterprise Contract Management Portal version 22.4.0. The issue resides in the chat box component, where the application fails to properly sanitize user input. This flaw allows remote attackers to inject malicious scripts that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the Enterprise Contract Management application and open the chat box. Select a user to chat with and type a message that includes a JavaScript payload, such as a script tag with an alert command. Once the message is sent, the script will execute in both the sender's and recipient's browsers, demonstrating the cross-site scripting vulnerability. This issue could potentially be used as a stepping stone for further attacks.