[CVE-2018-15528] Reflected XSS in Java System Solutions SSO- Plugin for BMC MyIT

From: mamurch@deloitte.de
To: bugtraq@securityfocus.com
Subject: [CVE-2018-15528] Reflected XSS in Java System Solutions SSO- Plugin for BMC MyIT


Reflected XSS in Java System Solutions SSO Plugin for BMC MyIT


Reflected Cross-Site Scripting in Java System Solutions' BMC MyIT SSO Plugin version was identified during a penetration test. Other versions might be affected as well. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared link and hits the "Login" button.


Open https://<hostname>/ux/jss-sso/arslogin?javascript:alert(%27Deloitte%20XSS%20PoC%27) and hit the "Login" button.

Affected function:

  function select_sso() {  
    console.log('SSO login');
    id('loginForm').action= 'javascript:alert(%27Deloitte%20XSS%20PoC%27)';
    id('username').name= 'username';
    id('password').name= 'password';



Contact vendor for fix.

Disclosure Timeline:

2018-07-17: Vulnerability discovered
2018-07-17: Vulnerability reported to manufacturer
2018-07-17: Response from manufacturer that vulnerability is known and has been fixed, but refused to provide any details
2018-08-09: Requested CVE ID from MITRE; CVE-2018-15528 was reserved
2018-08-20: Public disclosure of vulnerability & notification to manufacturer


This security vulnerability was found by Marco Murch of Deloitte GmbH.

E-Mail: mamu[DELETE_ME_:-)]rch[at]deloitte[dot]de

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.