VertiGIS FM Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the VertiGIS FM solution, specifically within the dashboard search feature. This vulnerability allows attackers to create a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript in the context of that user. The crafted URL could be sent directly to the victim or embedded in a page that the victim is tricked into visiting.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to unauthorized actions being performed on their behalf. If the affected user has sufficient privileges, an attacker could also access and modify stored data.

Reproduction

To reproduce this vulnerability, an authenticated user must be tricked into clicking a crafted URL that exploits the reflected cross-site scripting flaw. The URL should be designed to inject JavaScript into the dashboard search functionality, taking advantage of improper output encoding.

Remediation

Users are advised to upgrade to VertiGIS FM version 10.13.403 or later, where this vulnerability has been patched.