CVE-2020-19762

Vulnerability

A stored or reflected (GET request) cross-site scripting (XSS) vulnerability exists in Automated Logic Corporation (ALC) WebCTRL version 6.5 and prior. The bug resides in the _common/lvl5/failuremessage.jsp endpoint, where the message1 GET parameter is not properly sanitized before being rendered in the response. An attacker can inject arbitrary JavaScript code by supplying a specially crafted payload in the first parameter, as demonstrated in the proof-of-concept URL [1].

Exploitation

An attacker requires no authentication and only needs to craft a malicious GET request to the vulnerable endpoint. The proof-of-concept shown in reference [1] uses a payload that bypasses simple encoding filters (e.g., %26%23x22%3b%3balert(1)%2f%2f107). The attacker can send the URL to a victim (e.g., via phishing) or inject it into a page where other users visit. No user interaction beyond following the link is needed for the XSS to execute in the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the WebCTRL application. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of user data and application state.

Mitigation

Automated Logic Corporation has not published a fixed version in the available references [1]. The vendor was contacted (CVE reserved in 2020), but no patch or advisory detailing a remedy is currently disclosed. Users should consider applying the principle of least privilege, restricting network access to the WebCTRL interface, and using web application firewalls to filter malicious payloads until an official update is released.