CVE-2021-45224
Description
An issue was discovered in COINS Construction Cloud 11.12. In several locations throughout the application, JavaScript code is passed as a URL parameter. Attackers can trivially alter this code to cause malicious behaviour. The application is therefore vulnerable to reflected XSS via malicious URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
COINS Construction Cloud 11.12 fails to sanitize JavaScript code passed in URL parameters, enabling reflected XSS via crafted links.
Vulnerability
COINS Construction Cloud version 11.12 suffers from improper neutralization of special elements used in a command (CWE-77). In several views, such as the "Browse Documents" page, JavaScript code is passed via the postCheckRowids and afterPost HTTP GET URL parameters without sanitization. An attacker can replace the original JavaScript with arbitrary code, leading to reflected cross-site scripting (XSS) [1].
Exploitation
An attacker crafts a malicious URL containing JavaScript payloads in either the postCheckRowids or afterPost parameter. The victim must be logged into the application and click the link. When the page loads, the injected JavaScript executes in the context of the victim's session [1][2]. No additional authentication or high privileges are required on the attacker's part.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Because the XSS is reflected, the attacker can target specific users and potentially escalate privileges by stealing cookies or performing actions on behalf of the victim [1][2].
Mitigation
As of the publication date, no fix has been released by the manufacturer, COINS; the solution status remains open [1]. The vendor was notified on 2021-11-02 but provided no response, and it is unclear whether later versions address the issue [2]. Until a patch is available, organizations should restrict access to the application, use web application firewalls to filter malicious parameters, and educate users not to click untrusted links while authenticated.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- COINS/Construction Clouddescription
- Range: 11.12
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of JavaScript code passed via HTTP GET URL parameters allows reflected cross-site scripting."
Attack vector
An attacker crafts a malicious URL containing arbitrary JavaScript code in the "postCheckRowids" or "afterPost" query parameters [ref_id=1]. If a logged-in victim visits this link, the application passes the attacker-supplied JavaScript to downstream components without sanitization, causing the code to execute in the victim's browser [ref_id=1]. The attack requires no special network position beyond delivering the crafted link to an authenticated user.
Affected code
The advisory identifies that JavaScript code is passed via the HTTP GET URL parameters "postCheckRowids" and "afterPost" in several application locations, such as the "Browse Documents" view [ref_id=1]. No patch or specific source files are provided in the bundle.
What the fix does
No patch or fix has been published by the manufacturer [ref_id=1]. The advisory notes that the solution status remains "Open" as of the disclosure date, and no remediation guidance is provided [ref_id=1].
Preconditions
- authThe victim must be logged into COINS Construction Cloud
- inputThe attacker must deliver a crafted URL to the victim (e.g., via email or link)
Reproduction
1. Visit a page that uses the "postCheckRowids" or "afterPost" parameters, such as the "Browse Documents" view [ref_id=1]. 2. Insert arbitrary JavaScript code into the value of the "postCheckRowids" parameter in the URL [ref_id=1]. 3. Load the page with the modified link [ref_id=1]. 4. The JavaScript code executes once the page has loaded [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloudmitrex_refsource_MISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-053.txtmitrex_refsource_MISC
- www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construction-cloud-erp-syss-2021-028/-029/-030/-031/-051/-052/-053mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.