Key Systems Inc Global Facilities Management Software Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Key Systems Inc Global Facilities Management Software version 20230721a. The issue arises in the selectgroup and gn parameters on the /?Function=Groups endpoint, allowing remote attackers to execute arbitrary code. User-supplied input is improperly sanitized and encoded, enabling the injection of malicious JavaScript that executes in the context of other users' sessions.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript, which can execute in the context of other users' sessions. This could lead to unauthorized access to user session data, including session cookies, and allow attackers to perform actions on behalf of the user or steal sensitive information.

Reproduction

To reproduce this vulnerability, authenticate into the Global Facilities Management System web application and navigate to the Groups section. Edit the Group Name field by inserting a basic XSS payload, such as a script tag containing JavaScript code, and save the changes. The injected script will execute on any page where the Group Name is displayed, demonstrating the cross-site scripting vulnerability.