Proof of concept of multiple Stored Cross-Site Scripting (XSS) vulnerabilities discovered in ACI Worldwide Proactive Risk Manager v 9.1.1.0# CVE-2024-48569
**Severity :** **Medium** (**6.4**)
**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N`
## Summary :
ACI Worldwide **Proactive Risk Manager** version **9.1.1.0** is affected by multiple **Stored Cross-Site Scripting (XSS)** vulnerabilities in the add/edit form fields of some web pages.
## Poc 1
### Steps to Reproduce :
1. Insert the following payload inside the in the add/edit form fields of the pages under the subpaths:
- /ar/config/configuation/
- /ar/config/risk-strategy-control/
2. Save the forms. The js/html injected will be then rendered.
```html
<img src="#" onerror=alert(1)>
```
## Affected Version Details :
- <= 9.1.1.0
## Impact :
The attacker can use social engineering techniques to make the victim click on a crafted malicious url or can simply wait until the victims open a page containing the stored xss in order to exfiltrate data or install malware on the user’s machine. The Attacker can steal cookies and masquerade as authorized, allowing him to perform any action allowed by the user account.
## Mitigation :
- Implement input sanitization and/or implement html entities encoding. The vulnerability is fixed in version >= 9.3
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-48569
[4.0K] /data/pocs/93246d2662b163a12c1deb13e85dd91ba05d07f0
└── [1.2K] README.md
0 directories, 1 file