Source: cve@mitre.org
Multiple cross-site scripting (XSS) vulnerabilities in objects/createobject.php in Open Constructor 3.12.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) name or (2) description parameter.
Open Constructor 3.12.0 is vulnerable to multiple cross-site scripting (XSS) flaws, allowing authenticated attackers to inject malicious HTML or JavaScript. This could lead to session hijacking, defacement, or the redirection of users to malicious websites. Successful exploitation requires an authenticated user account within the Open Constructor application.
Step 1: Authentication: The attacker must first authenticate to the Open Constructor application with a valid user account.
Step 2: Payload Delivery: The attacker crafts a malicious payload containing JavaScript or HTML. This payload is injected into either the name or description parameter when creating or modifying an object within the application. For example, <script>alert('XSS')</script> or <img src=x onerror=alert('XSS')>.
Step 3: Payload Storage: The malicious payload is stored within the Open Constructor database associated with the object's name or description.
Step 4: Victim Interaction: A legitimate user, or the attacker, views the object containing the malicious payload.
Step 5: Payload Execution: The victim's web browser renders the object's details, including the attacker-controlled name or description. Because the input was not properly sanitized, the browser executes the injected JavaScript or renders the injected HTML, leading to the XSS vulnerability.
The vulnerability stems from insufficient input validation and output encoding in the objects/createobject.php script. Specifically, the script fails to properly sanitize the name and description parameters before displaying them on the page. This allows attackers to inject arbitrary HTML or JavaScript code within these parameters, which is then executed by the victim's browser when they view the crafted content. The root cause is a lack of HTML encoding or input validation to prevent malicious code from being interpreted as legitimate HTML.
While no specific APT groups are directly linked to this CVE, it's a type of vulnerability that could be exploited by various actors, including script kiddies and opportunistic attackers. This vulnerability is not listed on the CISA KEV catalog, but it's a good candidate for inclusion due to its potential impact.
Web application firewall (WAF) logs showing suspicious HTTP requests containing JavaScript or HTML tags in the name or description parameters of requests to objects/createobject.php.
Server-side logs showing unusual activity related to object creation or modification, particularly involving the name or description fields.
Network traffic analysis revealing the injection of JavaScript or HTML payloads in HTTP requests.
Security Information and Event Management (SIEM) systems configured to detect XSS attempts based on signature matching or anomaly detection.
File integrity monitoring to detect changes to objects/createobject.php or related files.
Implement robust input validation to sanitize the name and description parameters. This includes filtering out or escaping potentially malicious characters like <, >, &, ', and ".
Implement output encoding (e.g., HTML encoding) to ensure that any user-supplied data displayed on the page is treated as data and not as executable code.
Upgrade to a patched version of Open Constructor or the latest version if available.
Apply a Web Application Firewall (WAF) to filter malicious requests.
Regularly scan the web application for vulnerabilities using automated tools.
Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.