Key Systems Inc Global Facilities Management Software Cross-Site Scripting Vulnerability

A reflective Cross-Site Scripting (XSS) vulnerability has been identified in Key Systems Inc Global Facilities Management Software version 20230721a. The issue arises in the 'Function' parameter, where unsanitized user input is reflected in HTML pages without proper encoding or sanitization. This flaw allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser session.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript, which can execute in the context of the user's browser session. This could lead to unauthorized access to user session cookies, execution of actions on behalf of the user, retrieval of sensitive files, and theft of personal data.

Reproduction

To reproduce this vulnerability, first validate that the Global Facilities Management Software version is 20230721a. Then, navigate to the application panel and identify the 'Function' parameter. Replace its value with an XSS payload, such as a JavaScript alert command, and observe the execution of the injected script.

Remediation

It is recommended to use templating engines that automatically escape content, implement strict input validation and sanitization, and apply proper output encoding for all user inputs displayed on web pages.