CVE-2021-36381

An unauthenticated remote attacker can inject arbitrary text into a victim's browser by crafting a URL to the login page. The attacker appends a `logon_error` parameter to `/tm/logon/logon.jsp?logon_error=` with arbitrary text content (e.g., `please%20change%20the%20password`). When the victim visits this crafted URL, the injected text is rendered in the browser without sanitization [ref_id=1].

The vulnerability is in the Web Application component of Edifecs Transaction Management, specifically in the login page file `logon.jsp`. The `logon_error` parameter is reflected into the user's browser without sanitization [ref_id=1].

The advisory does not include a patch or remediation guidance. The vendor has not published a fix as of the disclosure date (2021-07-12). To mitigate, the application should sanitize or encode the `logon_error` parameter before rendering it in the response to prevent text injection [ref_id=1].

1. Navigate to the Edifecs Console login page. 2. Enter any random credentials (e.g., admin | admin). 3. In the URL bar, append `/tm/logon/logon.jsp?logon_error=please%20change%20the%20password` and observe the injected text rendered in the browser [ref_id=1].