Cross-site scripting (XSS) vulnerability in emfadmin/statusView.do in Tumbleweed EMF Administration Module 6.2.2 Build 4123, and possibly other versions before 6.3.2, allows remote attackers to inject arbitrary web script or HTML via the (1) lineId and (2) sort parameters.
Tumbleweed EMF Administration Module versions are vulnerable to a cross-site scripting (XSS) attack, allowing attackers to inject malicious scripts into the web interface. This can lead to session hijacking, credential theft, and website defacement, potentially compromising sensitive data and user accounts. The vulnerability stems from improper sanitization of user-supplied input in the statusView.do component.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the lineId or sort parameters of the statusView.do request. For example: http://<target>/emfadmin/statusView.do?lineId=<XSS_PAYLOAD>&sort=...
Step 2: Request Submission: The attacker tricks a legitimate administrator into clicking the malicious URL, or the attacker sends the malicious URL to the administrator via email or other communication channels.
Step 3: Server Processing: The vulnerable server receives the request and processes the statusView.do page, including the attacker-supplied lineId and sort parameters.
Step 4: Vulnerable Rendering: The server's response includes the attacker's injected JavaScript payload within the HTML output, without proper sanitization or encoding.
Step 5: Browser Execution: The administrator's web browser parses the HTML response and executes the injected JavaScript payload within the context of the administrator's session.
Step 6: Exploitation: The injected JavaScript payload can perform various malicious actions, such as stealing the administrator's session cookie, redirecting the administrator to a phishing site, or defacing the website.
The vulnerability lies within the emfadmin/statusView.do component of the Tumbleweed EMF Administration Module. Specifically, the application fails to properly sanitize user-supplied input provided through the lineId and sort parameters. This allows an attacker to inject malicious JavaScript or HTML code into these parameters. When a user with administrative privileges views the statusView.do page with the crafted payload, the injected script executes within the context of the administrator's browser, enabling a range of attacks, including cookie theft, session hijacking, and redirection to malicious websites. The root cause is a lack of input validation and output encoding (e.g., HTML escaping) of the lineId and sort parameters before they are rendered in the HTML response. This allows the attacker to control the content displayed in the administrator's browser.