a466350665 Smart-SSO Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in a466350665 Smart-SSO versions through 2.1.1. The issue arises in the Login component, specifically within the file smart-sso-server/src/main/resources/templates/login.html. The vulnerability is triggered by manipulating the redirectUri parameter, allowing for the injection of malicious scripts. This issue can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a request to the application with a manipulated redirectUri parameter. The application will reflect the input without proper validation or escaping, leading to the execution of injected scripts. This vulnerability can be identified using Google Hacking by searching for vulnerable targets with the query 'inurl:smart-sso-server/src/main/resources/templates/login.html'.