XSS issue due to insufficient sanitization of input field

Vulnerability

An improper input validation vulnerability in the Web GUI of Secomea GateManager allows stored cross-site scripting (XSS). This issue affects Secomea GateManager all versions prior to 9.4 [1]. The vulnerability resides in the handling of user-supplied input that is not properly sanitized before being rendered in the administrative web interface.

Exploitation

An attacker with network access to the Web GUI can inject arbitrary JavaScript code by submitting crafted input through vulnerable fields. No authentication is required if the vulnerable component is exposed without access controls; otherwise, an authenticated session may be necessary depending on the specific input point. The injected script executes in the context of the victim's browser when the malicious content is rendered.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the affected web application. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other client-side attacks. The attack impacts confidentiality and integrity, potentially compromising administrator credentials and session data.

Mitigation

Secomea released GateManager version 9.4 to address this vulnerability [1]. Users should upgrade to version 9.4 or later. No workarounds are documented in the available references. Organizations using affected versions prior to 9.4 should prioritize patching to reduce risk of XSS exploitation.