TYDAC AG MAP+ Reflected Cross-Site Scripting Vulnerability in PDF Export Functionality

A reflected cross-site scripting vulnerability has been identified in the PDF export feature of TYDAC AG's MAP+ solution, specifically in version 3.4.0. This vulnerability allows unauthenticated attackers to create malicious URLs that, when clicked by a victim, execute arbitrary JavaScript in the victim's browser context. The exploitation could involve stealing session cookies to hijack user accounts, particularly those with editing privileges.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript in the context of the victim's browser, potentially leading to session hijacking by stealing cookies and taking over the user's account, especially if it has editing rights.

Reproduction

To reproduce this vulnerability, initiate a PDF export in the MAP+ application. If an error occurs, the application will reflect the 'site' parameter in the error message without proper sanitization. This flaw can be exploited by replacing the 'site' parameter with an XSS payload, such as a script tag including JavaScript code. The server will respond with the injected script executed in the context of the user's browser, provided a valid session cookie is present.

Remediation

Users are advised to update to the patched version of MAP+. The vendor has backported the fix to all versions greater than 3.0. However, since the version numbers remain unchanged after patching, it is recommended to verify with the vendor whether a specific installation has been updated. As an additional measure, configure a strong Content-Security-Policy to mitigate XSS risks and ensure that other web applications on the same domain do not trust MAP+, such as by using Cross-Origin Resource Sharing.