-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-053 Product: COINS Construction Cloud Manufacturer: Construction Industry Solutions (COINS) Affected Version(s): 11.12 Tested Version(s): 11.12 Vulnerability Type: Improper Neutralization of Special Elements used in a Command (CWE-77) Risk Level: High Solution Status: Open Manufacturer Notification: 2021-11-02 Solution Date: TBA Public Disclosure: 2022-01-13 CVE Reference: CVE-2021-45224 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: COINS Construction Cloud is an enterprise resource planning software specifically for the construction industry. The manufacturer describes the product as follows (see [1]): "COINS Construction Cloud is a powerful solution that enables construction companies, their subcontractors, suppliers and workforce – to work better together on site, off site, on the road and in the office." Due to an insecure software architecture, the application is vulnerable to reflective cross-site scripting via malicious URLs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: At several locations throughout the application, JavaScript code gets passed to downstream components via HTTP GET URL parameters. As those can be freely altered on the client side, an attacker can trivially supplant the original JavaScript code with malicious code. If a logged-in victim visits that link, the code gets executed. Affected are the variables "postCheckRowids" and "afterPost". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Visit a page using either one of those parameters, e.g. the "Browse Documents" view. 2. Insert arbitrary JavaScript code into the value of the "postCheckRowids" parameter in the URL. 3. Load the page with the modified link. 4. The JavaScript code gets executed once the page has loaded. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: No solution has been provided yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-04-20: Vulnerability discovered 2021-11-02: Vulnerability reported to manufacturer 2022-01-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for COINS Construction Cloud https://www.coins-global.com/solutions/47/ [2] SySS Security Advisory SYSS-2021-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-053.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmHdbQMACgkQpVwGkCo0 iG5zGxAAoNFNfArWqvYIr09BwLe7vRnuz1ONC/KfH14cRMvhU6OBYjk9CYE8/Y/u YBJ4plqHG1hBk1RXY3iHNhx3BpUsLE9l0apJknwpNsZcdQhZpoXbgfb6yOfZqMKp 5Yr5EAU9pTfXVfYy4wvfMhw4PxMlnoseI30cm5P8Fz6zIcZ8oLwiywMSfKC961Ac YRIEbReSnv0bTRMcnq2ws2SSX/I3a5GuQvTAy+/e/ffpJMCojuqz07zjY/gYsN27 qiOH1a/e1ocKDtMj5LL1nl2o6+tVueIplCSW6U0z69X+KSuL95jMcJC1WYGg4k+t D+KM2tKEM+UPunYYAqOUjCB4p9pmeKC8wrSIK3ejU58OD7S62eHfeluWZhqJgls1 BPqakfq1tF4PVmZ+luHiwF/stsnXolwk4eorl60AAJkyRZP4B9hoSseacT5EPW1P vSEYF1ffHFKsK/Go7B4HmrxNSpj0VabLaavUArGywJ/DW+qls7xsVaYqJSlDoMvZ ndfZxKtjq8ORe23vCm4u71keR+pQQTZe/DQcCjAQ1KR/e9zb6dUG+uy1iWyYJAbz Xbmt1688wzhKMc058W41hSnRNG8ge3FA7kUvHvAAyjvCtTa6dyZ9WPP42VXPCUJL lrDtwq3z/skqaTifNyIgyb1sYXUsyzr9ZCmCQif0q+uplxl99iw= =bA6W -----END PGP SIGNATURE-----