CVE-2023-30454

[Description]
An issue was discovered in ebankIT before version 7.
Document Object Model based XSS exists within the
/Security/Transactions/Transaction CVE-2023-30454

[Description]
An issue was discovered in ebankIT before version 7.
Document Object Model based XSS exists within the
/Security/Transactions/Transactions.aspx
endpoint. Users can supply their own JavaScript within the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter that will be passed to an eval() function and executed
upon pressing the continue button.

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
ebankIT

------------------------------------------

[Affected Product Code Base]
ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7

------------------------------------------

[Affected Component]
The endpoint existing at: /Security/Transactions/Transactions.aspx

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
I discovered a Document Object Model-based Cross-Site Scripting issue
within the ebankIT platform. While manually inspecting the client-side
JavaScript code I came across the variable JSONText. This variable
was using the eval function to parse data passed to it through the
accobj variable. Knowing the eval function evaluates text as
JavaScript, I proceeded to locate exactly what data was passed to this
variable. I found that the data could be supplied by a user during a
Transfer request (on /Security/Transactions/Transactions.aspx), when
selecting which account to transfer from. To execute this XSS, I
intercepted our test user s Transfer request, supplied my own custom
JavaScript alert(4) in the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter, and pressed the continue button which resulted in
the payload successfully executing.

------------------------------------------

[Discoverer]
Jake Murphy