-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2021-031
Product: COINS Construction Cloud
Manufacturer: Construction Industry Solutions (COINS)
Affected Version(s): 11.12
Tested Version(s): 11.12
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Not Fixed
Manufacturer Notification: 2021-11-02
Solution Date: --
Public Disclosure: 2022-01-13
CVE Reference: CVE-2021-45228
Author of Advisory: Philipp Rieth, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
COINS Construction Cloud is an enterprise resource planning software
specifically for the construction industry.
The manufacturer describes the product as follows (see [1]):
"COINS Construction Cloud is a powerful solution that enables construction
companies, their subcontractors, suppliers and workforce – to work better
together on site, off site, on the road and in the office."
Due to insufficient neutralization of user input in the description of a
task, it is possible to store malicious JavaScript code in the task
description which is later executed when it is reflected back to the user.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
It is possible to store malicious JavaScript code in the description of a
task in the Activity Workbench. This way, malicious JavaScript is permanently
stored on the website. The Activity Workbench can be found on the landing
page of the COINS application. The JavaScript needs to be linked to an
HTML event to be executed.
The severity of this vulnerability is increased by the fact that it is
possible to create tasks for other users. This enables a user to send
malicious JavaScript code directly to other users, which is then executed
once the task information is reflected to the user.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
1. Open the landing page.
2. Open Activity Workbench.
3. Create a new task.
4. Select a user whom the task should be assigned to.
5. Insert the following HTML code into the task description (other events
can be used):
hover-me
.
6. Save the task.
7. Reload page and open the "Actions Menu".
8. The JavaScript code is executed when the user hovers over the
task description.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
There is no known solution yet.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2021-04-21: Vulnerability discovered
2021-11-02: Vulnerability reported to manufacturer
2021-??-??: Patch released by manufacturer
2021-??-??: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for COINS Construction Cloud
https://www.coins-global.com/solutions/47/
[2] SySS Security Advisory SYSS-XXXX-XXX
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-XXXX-XXX.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Philipp Rieth of SySS GmbH.
E-Mail: philipp.rieth@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Rieth.asc
Key ID: 0x18A0750E91942316
Key Fingerprint: 2B75 C642 944A 8331 CFBC FC10 7621 A8F8 68C0 6D5F
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEK3XGQpRKgzHPvPwQdiGo+GjAbV8FAmJWxKYACgkQdiGo+GjA
bV/xmw/+Jt2TEJkiFtdTAmv7A6YMonaltbTceC6FdA5fll/7a4494ioi4wGYo8gH
PduE/aYL0aw6ykF74ViSU5LFc6/398uGXlswI+lphI4q+PfwMrYb97mV7hYLkv1s
l74lxtkEmF2/eZm38x/Dj/pkF6EpDkyA2ISF7QkkKaWYwt5oH7rf2wQwr19Gxojz
K2QlT6ofGOBfFxxQo/eZJZNrGApPA/QpHmY/6WOHJxo2IbV/pTp88udJI8m3PE3y
Nh9oDkXQNJAq/c/jmX7FESEapSyNqKTDCtj9MxBixptgvB2NO0iuJuFOm/RauyG7
WLQ2tPG13WLzPS81T8kjUv9kFalvIMDOo2RmCDWemsve5LQ90b2WfdhZ/Z0iFZLK
jwUWkZw0PcKb2Xw/cvXqzDO12VMVp/2fBRJMsKeksVvT0dNxKIwnXtcaNj5A5Tk/
9xt6vVI5unkQbq3qK/OxcJJea4mGAW2ULPQQ0MEBb5nTTV+B56SXu3sa/CTEpQeK
YIvg2CN0RISNbS6tHTxGXGAbwnBIDd08OxODFtCpNDaF+XcsW2+DHM7DGezULkQk
Yd2eVs4R6IhbkfOuPeBmu6I6FKl9EvE4MCgql3UTDFDk5WwN0a3rBvzMp9fiuEq1
+OoyvnXnOWNOgP9Ktoe/lLGzk42+4KEu2z+FnF+7d2zFLAGifWM=
=e+jb
-----END PGP SIGNATURE-----