CVE-2019-10846

Vulnerability

Computrols CBAS version 18.0.0 is vulnerable to unauthenticated reflected cross-site scripting (XSS) in the login page and password reset page. The username GET parameter is not sanitized before being reflected in the response, allowing an attacker to inject arbitrary JavaScript. This issue is similar to the one reported for version 19.0.0 [3].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the username parameter. No authentication is required. The victim must be tricked into clicking the link; the script then executes in the context of the CBAS web interface, typically with the same privileges as the victim's session [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or other actions that the victim can perform within the CBAS application [3].

Mitigation

As of the publication date, no official patch has been disclosed for version 18.0.0. Users should monitor vendor updates and consider upgrading to a patched version if available. No workaround is mentioned in the available references [3].