TeamsACS icon indicating copy to clipboard operation
TeamsACS copied to clipboard
verified publisher icon CA17

CVE-2024-22780 - Cross Site Scripting vulnerability in CA17 TeamsACS v.1.0.1 allows a remote attacker to execute arbitrary code via a crafted script to the errmsg parameter.

Open fuomag9 opened this issue 1 year ago • 2 comments

As per #25 I am publishing the security issue I found within your project as there is no way to contact the mantainer of this repository

[Description] Cross Site Scripting vulnerability in CA17 TeamsACS v.1.0.1 allows a remote attacker to execute arbitrary code via a crafted script to the errmsg parameter.

[Vulnerability Type] Cross Site Scripting (XSS)

[Vendor of Product] CA17

[Affected Product Code Base] https://github.com/CA17/TeamsACS - 1.0.1

[Affected Component] errmsg parameter in the /login endpoint

[Attack Type] Remote

[Impact Code execution] true

[Impact Information Disclosure] true

[Attack Vectors] To exploit the vulnerability the victim has to click on a specifically crafted URL (e.g. address:port/login?errmsg={ANY_HTML_TAG})

[Discoverer] @fuomag9

fuomag9 avatar Mar 30 '24 01:03 fuomag9

Now disclosed at https://www.cve.org/CVERecord?id=CVE-2024-22780 as well

fuomag9 avatar Apr 02 '24 23:04 fuomag9

thank you, I'll deal with it as soon as I can

jamiesun avatar May 16 '24 12:05 jamiesun