Home / Early Warning / Security Advisories / Integria IMS vulnerable to Cross Site Scripting (XSS)

Integria IMS vulnerable to Cross Site Scripting (XSS)

Publication date: 
10/06/2021
Importance: 
3 - Media
Affected resources: 

Integria IMS version 5.0.92.

Description: 

INCIBE has coordinated the publication of a vulnerability in Integria IMS, with the internal code INCIBE-2021-0406, which has been discovered by @_Barriuso (special mention to @nag0mez).

CVE-2021-3834 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.

Solution: 

Input parameters have been secured. This vulnerability has been solved in Integria IMS 5.0 93.

Detail: 

Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file.

An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS).

This vulnerability has been solved in Integria IMS 5.0 93.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

TIMELINE:

08/04/2021 - Researchers discovery.
09/04/2021 - Researchers contact with INCIBE.
20/05/2021 - Integria IMS confirms that the fix version and the release software patch have been published (Security Patch).
06/10/2021 - The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración