IngEstate Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in IngEstate Server version 11.14.0. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the About application, What's news, or Release note parameters. The issue arises in the Edit feature of the Software Package List page, where injected scripts are saved on the server and executed in the context of other users who view the affected sections.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the browsers of users viewing the compromised Software Package information. This could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim.
Reproduction
To reproduce this vulnerability, an authenticated user must access the Software Package List page through the dashboard. The Edit feature can be used to interact with the API endpoint /emgui/rest/appDatasheet/. An XSS payload can then be injected into the 'About application', 'What's news', or 'Release note' parameters. Once the payload is injected, it is saved on the server and executed when other users view those sections.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.