Share
## https://sploitus.com/exploit?id=PACKETSTORM:182912
SEC Consult Vulnerability Lab Security Advisory < 20241127-0 >  
=======================================================================  
title: Stored Cross-Site Scripting  
product: Omada Identity  
vulnerable version: <v15U1, <v14.14 hotfix #309  
fixed version: v15U1, v14.14 hotfix #309  
CVE number: CVE-2024-52951  
impact: Medium  
homepage: https://omadaidentity.com/products/omada-identity/  
found: 2024-03-20  
by: Daniel Hirschberger (Office Bochum)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Omada Identity is a modern, enterprise-ready IGA solution that is deployed  
on-premises, giving you full control over your data and security. Our solution  
is easy to use, highly customizable, and gives you complete visibility into your  
environment without having to write a single line of code but is completely  
customizable to address any requirement. With built-in automation features,  
Omada Identity can help you streamline your workflows, improve efficiency, and  
strengthen your security posture."  
  
Source: https://omadaidentity.com/products/omada-identity/  
  
  
Business recommendation:  
------------------------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.  
  
SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can inject JavaScript in the "Request Reason". The  
injected JavaScript code will be executed if another user looks at the "History"  
of this access request. An attacker can then execute arbitrary JavaScript  
in the browser of other users which could for example be used for phishing attacks.  
  
  
Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can submit an access request and has to specify a reason why  
the access should be provided.  
  
<1-1_request_access.png>  
  
This request has to be intercepted and modified, e.g.:  
--------------------------------------------------------------------------------  
POST /workitemdlg.aspx?ACTTEMP=XXX&RURLID=YYY HTTP/1.1  
Host: $SERVER  
Cookie: oissessionid=$MYSESSION  
[...]  
Content-Type: application/x-www-form-urlencoded  
  
[...]  
1000104=Need+hello+access+and+bigfun<iframe+src=javascript:alert(document.domain)></iframe>&1000102=I+would+like+to+request+access+to+%5Bspecify+system%5D+so+I+can+perform+my+%5Bspecify+duties%5D+duties+related+to+my+work+as+a+%5Bspecify+position%5D.  
[...]  
--------------------------------------------------------------------------------  
  
Afterwards, anyone who reviews the "History" of this access request will be  
affected by the stored JavaScript code. Users who review the history requests are  
usually managers who have to approve this request, so this vulnerability allows  
reliably affecting higher-privileged users.  
  
<1-2_trigger_xss.png>  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version of the on-prem solution has been tested which was the latest  
version available at the time of the test:  
* 14.0.14.36  
  
Previous versions of v14.14 hotfix #309 are affected according to the vendor, as  
well as <v15U1.  
  
  
Vendor contact timeline:  
------------------------  
2024-04-08: Contacting vendor through contract@omadaidentity.com; no response.  
2024-04-24: Contacting vendor through contract@omadaidentity.com and  
info@omadaidentity.com; no response.  
2024-05-06: Contacting vendor through their "Contact Us" form;  
We were contacted by Sales and forwarded the email to them.  
2024-05-08: CISO contacts us, we sent the advisory via provided Sharepoint  
link.  
2024-05-13: Vendor confirms security issues. XSS is fixed now and hotfixes  
are created for their releases.  
Second finding was disputed and seems to be a misconfiguration.  
Removed issue 2 from advisory.  
2024-05-27: Asking for a status update regarding XSS hotfixes.  
2024-05-27: Vendor: May cloud update is scheduled for 29th May. On-prem  
release version v15U1 is planned for 12th June. Hot-fix for on-prem  
version 14.14 is also planned for 12th June.  
2024-06-17: Asking if Hotfix is released  
2024-06-21: Vendor: Hotfix #309 for v14.14 is released  
2024-06-24: Vendor: asks if we are satisfied with the follow-up  
We agree and respect the wish to delay the publication of the  
advisory for at least one month.  
2024-10-08: Asking vendor regarding CVE assignment.  
2024-10-11: Vendor is waiting for internal confirmation regarding next steps,  
update hopefully next week.  
2024-10-08: Asking for a status update, whether we should assign a CVE.  
2024-10-31: Vendor responds with calculated CVSS vectors and asks for  
our opinions;  
We agree that the CVSS Base Score looks correct and ask to  
clarify if they want to register the CVE themselves or if  
we as a CNA should register it for them.  
2024-11-18: Received CVE number from vendor;  
We provide our CVE details to the vendor and ask them  
to update the CVE entry.  
2024-11-22: Vendor notifies us about the CVE update, gives us a  
green light for the publication and thanks us for our  
cooperation;  
We mention that we will publish it in the following week  
and also thank the vendor.  
2024-11-27: Release of security advisory.  
  
  
Solution:  
---------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Daniel Hirschberger / @2024