Exploit for Sofico Miles RIA 2020.2 Build 127964T Cross Site Scripting CVE-2021-41557

Name: Exploit for Sofico Miles RIA 2020.2 Build 127964T Cross Site Scripting CVE-2021-41557
Rating: 5 (220 reviews)
2021-12-14 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:165278
SEC Consult Vulnerability Lab Security Advisory < 20211213-1 >  
=======================================================================  
title: Stored Cross Site Scripting  
product: Sofico Miles RIA  
vulnerable version: 2020.2 build 127964T  
fixed version: 2020.2 build 128076 or higher  
CVE number: CVE-2021-41557  
impact: Medium  
homepage: https://www.sofico.global  
found: 2021-07-09  
by: Oualid Lkhaouni (Office Bochum)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Atos company  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Sofico is the world’s leading supplier of mission-critical software solutions  
for automotive finance, leasing, fleet, and mobility management companies,  
and its software is used by a broad range of renowned leasing companies  
all over the world."  
  
Source: https://www.sofico.global/en/about-sofico  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends updating to the latest version of Sofico Miles RIA.  
  
An in-depth security analysis performed by security professionals is highly  
advised, as the software may be affected from further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross Site Scripting (CVE-2021-41557)  
Miles RIA is a software solution by Sofico that allows leasing companies to manage  
their leasing services on a single platform.  
  
The Miles RIA application is vulnerable to Stored Cross-Site Scripting (XSS).  
An attacker with access to a user account of the RIA IT or the Fleet role  
can create a malicious work order in the damage reports section or change  
existing work orders with malicious JavaScript.  
  
  
Proof of concept:  
-----------------  
1) Stored Cross Site Scripting (CVE-2021-41557)  
The following payload can be used for the insecure work order number  
parameter of pending work orders in the damage reports section to inject  
and execute malicious JavaScript in the context of the victim.  
Once the victim visits the malicious work order, the attacker-controlled  
input gets reflected in the lower left context menu of the loaded webpage:  
  
1000 <img src=x onerror=alert(document.domain)>  
  
This JavaScript code will then automatically get executed when the site  
which contains the payload is visited by the victim.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following software version has been tested and found to be vulnerable:  
* Miles RIA 2020.2 build 127964T  
  
It is unknown whether previous versions are affected, as the vendor did not  
supply this information.  
  
  
Vendor contact timeline:  
------------------------  
2021-07-26: Contacting vendor through contact.de@sofico.global; No answer.  
2021-08-24: Contacting vendor through contact.de@sofico.global; No answer.  
2021-09-21: Contacting vendor through contact.de@sofico.global and contact@sofico.global; No answer.  
2021-11-04: Informing vendor about public advisory release on 9th November 2021.  
2021-11-08: Received info from 3rd party about patches.  
2021-11-24: Informing vendor about public advisory release on 29th November 2021.  
2021-11-24: Received more detailed info from 3rd party about patches.  
2021-12-01: Coordination call with vendor.  
2021-12-13: Coordinated release of security advisory.  
  
  
Solution:  
---------  
The vendor provides patches for the affected product versions:  
* Miles RIA 2020.2 build 128076 or higher  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Atos company  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Oualid Lkhaouni / @2021