[+] [+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC
[+] twitter.com/_striv3r_
[Vendor]
https://quorum.com/about/
[Product]
Quorum onQ OS - 6.0.0.5.2064
Vulnerability Type]
Reflected Cross Site Scripting (XSS)
[Affected Component]
Login page get parameter 'msg' is vulnerable to Reflected Cross site
scripting
[CVE Reference]
CVE-2024-44449
[Security Issue]
Cross Site Scripting vulnerability in Quorum onQ OS v.6.0.0.5.2064 allows a
remote attacker to obtain sensitive information via the msg parameter in
the Login page.
[Attack Vectors]
After obtaining the API key, an attacker can use tools such as curl,
Postman, or custom scripts to craft unauthorized requests to the target API.
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: July 20, 2024
Vendor released fixed: September 13, 2024