-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-019 Product: DHC Vision - eQMS Manufacturer: DHC Business Solutions GmbH & Co.KG Affected Version(s): 5.4.8.332 Tested Version(s): 5.4.8.332 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2022-02-10 Solution Date: - Public Disclosure: 2022-03-28 CVE Reference: CVE-2022-24957 Author of Advisory: Domenik Jockers, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DHC Vision is an application for several management processes, like risk and quality management. The manufacturer describes the product as follows (see [1]): "Integrated solutions for quality management and quality assurance. Focused on the digitization of controlled documents and QA processes." Due to insufficient input validation and output encoding, it is vulnerable to a persistent Cross-Site Scripting attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web application uses correct output encoding on some occurrences, but misses to do so in several places as well. A user who is allowed to create a new information object in the content section, can exploit the fact, that the name of the object is reflected without further sanitization into several fields in the server response. Using an XSS payload like "" will execute as soon as a user opens the version or history page of the manipulated object, resulting in arbitrary JavaScript execution in the user's browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): - - Right click on a document you can edit, or create a new information object. - - Enter "Xss" as name of the new or editable object. - - After saving, open the "versions" tab. - - The alert will pop up. Responsible request: POST /dhcvision/com.dhc.dhcvision.ui.DHCV/SaveInformation HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------9812481241444897703067791170 Content-Length: 2082 Connection: close - -----------------------------9812481241444897703067791170 Content-Disposition: form-data; name="name" Xss - -----------------------------9812481241444897703067791170 Content-Disposition: form-data; name="attachment" Without document - -----------------------------9812481241444897703067791170 Content-Disposition: form-data; name="typeDefinitionId" 65023 [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Encode untrusted output context sensitively. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-02-08: Vulnerability discovered 2022-02-10: Vulnerability reported to manufacturer 2022-03-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DHC Vision - eQMS https://www.dhc-vision.com/en/ [2] SySS Security Advisory SYSS-2022-019 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-019.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Domenik Jockers of SySS GmbH. E-Mail: domenik.jockers@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Domenik_Jockers.asc Key ID: 0x41BBA857633A2433 Key Fingerprint: 73F8 24A1 37DF 7E45 83D6 237F 41BB A857 633A 2433 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEc/gkoTfffkWD1iN/QbuoV2M6JDMFAmI4P/cACgkQQbuoV2M6 JDOzFxAAgnnFmTNxXwBrn0fRXgdqahEaomFvXIjFAkmHfHYAX0gQWo7uTrSyIkrn 42nAGyPBae+Z8pA/poBVY+TBRiibOr/g+8GjjwM9A+vkWCV5A/lf+G0VeVU82xbG wr2tjZP1vU9qp9iDJKJIL/PLpdVyX3qdoT/71LuQ+gHRKgI1AD1+ZCNVtaayDZaE x1DhibDCmmDabN0WMtMVHJEnCAuuySdTehr2uM4qCH80Q4EEBjuleBBD/JavPuU5 nBwQ9H8MXKkpBfNTmBzbKTQis77ZhTdS8iX48w+Uog8W6TQh9WDxl9v3hu+gIGXs RMk1ULKtitYwgYRLMzSQ4XIe3/YdBcplfpR7Yh9TxckHdg6jV/DxcQA5dzkNP+k8 4jjAULOWMBKyymIlkS95YmWJa8A/m5A2MGA/Mf7AXpsswC//x/MfDVT1yNLUvrif tA/qcewIbusRIGnI0E/QeosLdYS94CWRn0hDs7oNA2bXer1ax7P72ingfjnTCLZt mYoBzl3qb1pNYpQA+VZnZKxNdWKP0jAt7+2IDadSDIMx6D3YmbgGmXyDtwlb0Swf u79Lqzyd3lHtp/4g0qytDci9ELku1IqG3PpGy3pekdelJjNfTL2j2fNGKgBs2qpc wfXCQ12KH2gTk7yU8ziYMgZndBXo7B35Ix/AKSHeWqEOMJ4SWUo= =TTB3 -----END PGP SIGNATURE-----