{"id":55761,"date":"2024-04-01T19:32:24","date_gmt":"2024-04-01T15:32:24","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177863\/arisbpm10210-xss.txt"},"modified":"2024-04-02T13:09:24","modified_gmt":"2024-04-02T08:39:24","slug":"aris-business-process-management-10-0-21-0-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/aris-business-process-management-10-0-21-0-cross-site-scripting\/","title":{"rendered":"ARIS: Business Process Management 10.0.21.0 Cross Site Scripting"},"content":{"rendered":"<p># Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: Business<br \/>\nProcess Management<br \/>\n# Edition Version 10.0.21.0<br \/>\n# Exploit Author: Seid Yassin<br \/>\n# Date: 2024-03-28<br \/>\n# Vendor: Software AG<br \/>\n# Software Link: https:\/\/aris.com\/<br \/>\n# Version: ARIS: Business Process Management<\/p>\n<p>## Description:<\/p>\n<p>Discovered a file upload feature lacking proper file extension validation.<br \/>\nThis vulnerability allows attackers to upload any type of file, including<br \/>\nmalicious ones. To demonstrate this, we successfully uploaded an SVG file<br \/>\nto carry out a Cross-Site Scripting (XSS) attack. In XSS attacks, malicious<br \/>\nscripts are injected into web pages viewed by other users, potentially<br \/>\nleading to data theft or unauthorized actions leading to potential theft of<br \/>\ncookies and session tokens.<\/p>\n<p>## Background:<\/p>\n<p>Cross-site scripting (XSS) is a common web security vulnerability that<br \/>\ncompromises user interactions with a vulnerable application. Stored XSS<br \/>\noccurs when user input is stored in the application and executed whenever a<br \/>\nuser triggers or visits the page.<\/p>\n<p>## Issue:<\/p>\n<p>A stored cross-site scripting (XSS) vulnerability in ARIS: Business Process<br \/>\nManagement software enables a malicious authenticated user to store a xss<br \/>\npayload(via SVG) using the web interface. Then, when viewed by a properly<br \/>\nauthenticated user or administrator, the JavaScript payload executes within<br \/>\nSVG and disguises all associated actions as performed by that unsuspecting<br \/>\nauthenticated user\/administrator.<\/p>\n<p>## Steps To Reproduce:<\/p>\n<p>1. Log into the ARIS application.<br \/>\n2. Navigate to my tasks and select any of the task and upload documents<br \/>\n(change request form)<br \/>\n3. Insert any svg file with xss script in it . eg.<br \/>\nhttps:\/\/gist.github.com\/rudSarkar\/76f1ce7a65c356a5cd71d058ab76a344<\/p>\n<p>## Expected Result:<\/p>\n<p>After a user uploads a new document in the Change Request Form, they can<br \/>\nutilize the link for the SVG file and UUID to access another path at<br \/>\n{{url}}\/documents\/api\/documents\/{{UUID}}\/content<\/p>\n<p>## Actual Result:<\/p>\n<p>The ARIS application is vulnerable to Stored Cross-Site Scripting, as<br \/>\nevidenced by the successful execution of the injected payload.<\/p>\n<p>## Proof of Concept:<\/p>\n<p>Attached Screenshots for the reference.<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: Business Process Management # Edition Version 10.0.21.0 # Exploit Author: Seid Yassin # Date: 2024-03-28 # Vendor: Software AG # Software Link: https:\/\/aris.com\/ # Version: ARIS: Business Process Management ## Description: Discovered a file upload feature lacking proper file extension validation. This vulnerability allows attackers to &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55761","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55761"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55761\/revisions"}],"predecessor-version":[{"id":55774,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55761\/revisions\/55774"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}