-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2022-019
Product: DHC Vision - eQMS
Manufacturer: DHC Business Solutions GmbH & Co.KG
Affected Version(s): 5.4.8.332
Tested Version(s): 5.4.8.332
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-02-10
Solution Date: -
Public Disclosure: 2022-03-28
CVE Reference: CVE-2022-24957
Author of Advisory: Domenik Jockers, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
DHC Vision is an application for several management processes,
like risk and quality management.
The manufacturer describes the product as follows (see [1]):
"Integrated solutions for quality management and quality assurance.
Focused on the digitization of controlled documents and QA processes."
Due to insufficient input validation and output encoding,
it is vulnerable to a persistent Cross-Site Scripting attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The web application uses correct output encoding on some occurrences,
but misses to do so in several places as well.
A user who is allowed to create a new information object in the content
section, can exploit the fact, that the name of the object is reflected
without further sanitization into several fields in the server response.
Using an XSS payload like "
" will
execute as soon as a user opens the version or history page of the
manipulated object, resulting in arbitrary JavaScript execution in the
user's browser.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
- - Right click on a document you can edit, or create a new information
object.
- - Enter "Xss" as name
of the new or editable object.
- - After saving, open the "versions" tab.
- - The alert will pop up.
Responsible request:
POST /dhcvision/com.dhc.dhcvision.ui.DHCV/SaveInformation HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------9812481241444897703067791170
Content-Length: 2082
Connection: close
- -----------------------------9812481241444897703067791170
Content-Disposition: form-data; name="name"
Xss
- -----------------------------9812481241444897703067791170
Content-Disposition: form-data; name="attachment"
Without document
- -----------------------------9812481241444897703067791170
Content-Disposition: form-data; name="typeDefinitionId"
65023
[...]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Encode untrusted output context sensitively.
More information:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2022-02-08: Vulnerability discovered
2022-02-10: Vulnerability reported to manufacturer
2022-03-28: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for DHC Vision - eQMS
https://www.dhc-vision.com/en/
[2] SySS Security Advisory SYSS-2022-019
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-019.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Domenik Jockers of SySS GmbH.
E-Mail: domenik.jockers@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Domenik_Jockers.asc
Key ID: 0x41BBA857633A2433
Key Fingerprint: 73F8 24A1 37DF 7E45 83D6 237F 41BB A857 633A 2433
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc/gkoTfffkWD1iN/QbuoV2M6JDMFAmI4P/cACgkQQbuoV2M6
JDOzFxAAgnnFmTNxXwBrn0fRXgdqahEaomFvXIjFAkmHfHYAX0gQWo7uTrSyIkrn
42nAGyPBae+Z8pA/poBVY+TBRiibOr/g+8GjjwM9A+vkWCV5A/lf+G0VeVU82xbG
wr2tjZP1vU9qp9iDJKJIL/PLpdVyX3qdoT/71LuQ+gHRKgI1AD1+ZCNVtaayDZaE
x1DhibDCmmDabN0WMtMVHJEnCAuuySdTehr2uM4qCH80Q4EEBjuleBBD/JavPuU5
nBwQ9H8MXKkpBfNTmBzbKTQis77ZhTdS8iX48w+Uog8W6TQh9WDxl9v3hu+gIGXs
RMk1ULKtitYwgYRLMzSQ4XIe3/YdBcplfpR7Yh9TxckHdg6jV/DxcQA5dzkNP+k8
4jjAULOWMBKyymIlkS95YmWJa8A/m5A2MGA/Mf7AXpsswC//x/MfDVT1yNLUvrif
tA/qcewIbusRIGnI0E/QeosLdYS94CWRn0hDs7oNA2bXer1ax7P72ingfjnTCLZt
mYoBzl3qb1pNYpQA+VZnZKxNdWKP0jAt7+2IDadSDIMx6D3YmbgGmXyDtwlb0Swf
u79Lqzyd3lHtp/4g0qytDci9ELku1IqG3PpGy3pekdelJjNfTL2j2fNGKgBs2qpc
wfXCQ12KH2gTk7yU8ziYMgZndBXo7B35Ix/AKSHeWqEOMJ4SWUo=
=TTB3
-----END PGP SIGNATURE-----