CVE-2021-28901 in Azur CMSinfo

Summary

by MITRE • 09/16/2021

Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3) ADRESSE2, (4) LOCALITE parameters to /eshop/products/json/aouCustomerAdresse; and the (5) nom_liste parameter to /eshop/products/json/addCustomerFavorite.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/19/2021

The vulnerability identified as CVE-2021-28901 represents a critical cross-site scripting flaw affecting SITA Software Azur CMS version 1.2.3.1 and earlier installations. This vulnerability manifests through multiple attack vectors within the web application's customer data handling mechanisms, specifically targeting parameters used in JSON API endpoints that process customer information. The affected parameters include NOM_CLI, ADRESSE, ADRESSE2, LOCALITE in the /eshop/products/json/aouCustomerAdresse endpoint, and the nom_liste parameter in the /eshop/products/json/addCustomerFavorite endpoint. These endpoints handle customer address and favorite list data, making them prime targets for malicious actors seeking to exploit client-side vulnerabilities.

The technical exploitation of this vulnerability occurs when remote attackers inject malicious JavaScript code or HTML content through the vulnerable parameters. When the application processes these parameters without proper input sanitization or output encoding, the malicious content gets rendered in the victim's browser context, allowing attackers to execute arbitrary scripts. This flaw falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security weakness that enables XSS attacks. The vulnerability is particularly concerning because it affects core customer data handling functionality, potentially allowing attackers to steal session cookies, perform unauthorized transactions, or redirect users to malicious websites.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to compromise user sessions and potentially gain unauthorized access to customer accounts. Attackers could leverage this vulnerability to establish persistent access to customer data, manipulate favorite lists, or inject malicious content that could be served to multiple users. The attack surface is significant given that these endpoints handle customer address information and list management functionalities, which are frequently accessed and contain sensitive personal data. The vulnerability also aligns with ATT&CK technique T1531 - Account Access Removal and T1071.001 - Application Layer Protocol: Web Protocols, as it exploits web application protocols to gain unauthorized access and manipulate user data. The exposure of customer address data through these endpoints could lead to identity theft, fraud, or targeted phishing attacks against users.

Mitigation strategies for this vulnerability must include immediate input validation and output encoding across all affected parameters. The application should implement strict sanitization of all user-supplied data before processing or rendering, utilizing context-appropriate encoding mechanisms such as HTML entity encoding for web page output. Security patches should be applied to upgrade to SITA Software Azur CMS version 1.2.3.2 or later, which should contain the necessary fixes. Additionally, implementing Content Security Policy headers, employing proper parameter validation, and conducting regular security assessments of web application endpoints are essential defensive measures. Organizations should also consider implementing web application firewalls and monitoring for suspicious parameter values that might indicate attempted XSS attacks, particularly focusing on the identified vulnerable endpoints and parameters to prevent exploitation.

Reservation

03/19/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00782

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!