CVE-2018-16960

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Open XDMoD through version 7.5.0 in the file html/gui/general/login.php. The parameter xd_user_formal_name is echoed back to the user without proper sanitization or encoding, allowing an attacker to inject arbitrary HTML and JavaScript. Versions prior to 7.5.0 are also affected; the issue is addressed in version 8.0 [1].

Exploitation

The attacker needs to craft a malicious URL that includes a JavaScript payload in the xd_user_formal_name parameter and trick a logged-in (or logging-in) user into clicking it. No special network position or authentication is required beyond luring the victim to the crafted link. For example, ...?xd_user_formal_name= will cause the script to execute in the victim's browser [1].

Impact

Successful exploitation results in arbitrary JavaScript execution within the victim's session in the context of the Open XDMoD application. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other client-side attacks that depend on the attacker's injected script privileges [1].

Mitigation

Upgrade to Open XDMoD version 8.0 or later, which includes a fix for this and related XSS issues (CVE-2018-16961, CVE-2018-16988) [1]. No workaround is documented; however, administrators can restrict network access to the login page or implement a web application firewall (WAF) rule to filter malicious xd_user_formal_name values until an upgrade is performed.