| Title | iodasweb iodas v7.2-LTS.4.1-JDK7, v7.2-RC3.2-JDK7 Cross Site Scripting |
|---|
| Description | Reflected XSS
????️ Description
A vulnerability pertaining to Reflected Cross-Site Scripting (XSS) has been identified in multiple versions of the IodasWeb application.
Severity: Medium
✅ Confirmed Affected Versions
v7.2-LTS.4.1-JDK7
v7.2-RC3.2-JDK7
???? Payload
https://WEBSITE.COM/astre/iodasweb/app.jsp?action=<img src=x onerror=alert(1)>
⚠️ Impact
The identified vulnerability results from insufficient input validation and improper output encoding, leading to a Reflected Cross-Site Scripting (XSS) issue. This allows an attacker to craft a malicious URL containing executable JavaScript code, which is reflected in the application’s response and executed in the victim’s browser.
???? Potential Consequences
Actions performed on behalf of authenticated users
Theft of session tokens
UI defacement
Redirection to malicious websites
Social engineering/phishing attacks
Unauthorized access to user accounts
This significantly undermines user trust and can lead to data compromise if exploited.
???? Recommendation
It's recommended to:
Sanitize and properly encode all user-supplied input.
Implement Content Security Policy (CSP).
Consider enabling the HttpOnly and Secure flags on cookies.
Review the WAF settings and behavior across all application version |
|---|
| Source | ⚠️ https://github.com/lam-sec/iodasweb-poc |
|---|
| User | lamouchi (UID 84095) |
|---|
| Submission | 04/22/2025 17:54 (12 months ago) |
|---|
| Moderation | 05/09/2025 16:44 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 308232 [Inetum IODAS 7.2-LTS.4.1-JDK7/7.2-RC3.2-JDK7 /astre/iodasweb/app.jsp action cross site scripting] |
|---|
| Points | 20 |
|---|