-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-031 Product: COINS Construction Cloud Manufacturer: Construction Industry Solutions (COINS) Affected Version(s): 11.12 Tested Version(s): 11.12 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Not Fixed Manufacturer Notification: 2021-11-02 Solution Date: -- Public Disclosure: 2022-01-13 CVE Reference: CVE-2021-45228 Author of Advisory: Philipp Rieth, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: COINS Construction Cloud is an enterprise resource planning software specifically for the construction industry. The manufacturer describes the product as follows (see [1]): "COINS Construction Cloud is a powerful solution that enables construction companies, their subcontractors, suppliers and workforce – to work better together on site, off site, on the road and in the office." Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description which is later executed when it is reflected back to the user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to store malicious JavaScript code in the description of a task in the Activity Workbench. This way, malicious JavaScript is permanently stored on the website. The Activity Workbench can be found on the landing page of the COINS application. The JavaScript needs to be linked to an HTML event to be executed. The severity of this vulnerability is increased by the fact that it is possible to create tasks for other users. This enables a user to send malicious JavaScript code directly to other users, which is then executed once the task information is reflected to the user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Open the landing page. 2. Open Activity Workbench. 3. Create a new task. 4. Select a user whom the task should be assigned to. 5. Insert the following HTML code into the task description (other events can be used):
hover-me
. 6. Save the task. 7. Reload page and open the "Actions Menu". 8. The JavaScript code is executed when the user hovers over the task description. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no known solution yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-04-21: Vulnerability discovered 2021-11-02: Vulnerability reported to manufacturer 2021-??-??: Patch released by manufacturer 2021-??-??: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for COINS Construction Cloud https://www.coins-global.com/solutions/47/ [2] SySS Security Advisory SYSS-XXXX-XXX https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-XXXX-XXX.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Rieth of SySS GmbH. E-Mail: philipp.rieth@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Rieth.asc Key ID: 0x18A0750E91942316 Key Fingerprint: 2B75 C642 944A 8331 CFBC FC10 7621 A8F8 68C0 6D5F ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEK3XGQpRKgzHPvPwQdiGo+GjAbV8FAmJWxKYACgkQdiGo+GjA bV/xmw/+Jt2TEJkiFtdTAmv7A6YMonaltbTceC6FdA5fll/7a4494ioi4wGYo8gH PduE/aYL0aw6ykF74ViSU5LFc6/398uGXlswI+lphI4q+PfwMrYb97mV7hYLkv1s l74lxtkEmF2/eZm38x/Dj/pkF6EpDkyA2ISF7QkkKaWYwt5oH7rf2wQwr19Gxojz K2QlT6ofGOBfFxxQo/eZJZNrGApPA/QpHmY/6WOHJxo2IbV/pTp88udJI8m3PE3y Nh9oDkXQNJAq/c/jmX7FESEapSyNqKTDCtj9MxBixptgvB2NO0iuJuFOm/RauyG7 WLQ2tPG13WLzPS81T8kjUv9kFalvIMDOo2RmCDWemsve5LQ90b2WfdhZ/Z0iFZLK jwUWkZw0PcKb2Xw/cvXqzDO12VMVp/2fBRJMsKeksVvT0dNxKIwnXtcaNj5A5Tk/ 9xt6vVI5unkQbq3qK/OxcJJea4mGAW2ULPQQ0MEBb5nTTV+B56SXu3sa/CTEpQeK YIvg2CN0RISNbS6tHTxGXGAbwnBIDd08OxODFtCpNDaF+XcsW2+DHM7DGezULkQk Yd2eVs4R6IhbkfOuPeBmu6I6FKl9EvE4MCgql3UTDFDk5WwN0a3rBvzMp9fiuEq1 +OoyvnXnOWNOgP9Ktoe/lLGzk42+4KEu2z+FnF+7d2zFLAGifWM= =e+jb -----END PGP SIGNATURE-----