Integria IMS vulnerable to Cross Site Scripting (XSS)
Integria IMS version 5.0.92.
INCIBE has coordinated the publication of a vulnerability in Integria IMS, with the internal code INCIBE-2021-0406, which has been discovered by @_Barriuso (special mention to @nag0mez).
CVE-2021-3834 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N.
Input parameters have been secured. This vulnerability has been solved in Integria IMS 5.0 93.
Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file.
An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS).
This vulnerability has been solved in Integria IMS 5.0 93.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
TIMELINE:
08/04/2021 - Researchers discovery.
09/04/2021 - Researchers contact with INCIBE.
20/05/2021 - Integria IMS confirms that the fix version and the release software patch have been published (Security Patch).
06/10/2021 - The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
