CVE-2021-45225
Description
An issue was discovered in COINS Construction Cloud 11.12. Due to improper input neutralization, it is vulnerable to reflected cross-site scripting (XSS) via malicious links (affecting the search window and activity view window).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
COINS Construction Cloud 11.12 is vulnerable to reflected XSS via unsanitized URL parameters in the search and activity view windows.
Vulnerability
In COINS Construction Cloud 11.12, several URL parameters in the search window (querySortOrder, queryFilterType) and activity view window (pvCILevel, pvCISibling, TopMenu) are not properly neutralized before being included in the generated HTML page [1]. This allows an attacker to inject arbitrary JavaScript by adding URL-encoded quotation marks (%22) to break out of HTML attribute context; activity view parameters also incorporate user input into JavaScript, enabling a second injection type undetectable by HTML tag filters [1].
Exploitation
An attacker needs only to craft a malicious link containing the XSS payload in one of the affected parameters and convince an authenticated user to click it (no special network position required beyond connectivity to the COINS application) [1]. No additional privileges or user interaction beyond clicking the link are needed because the injected script executes in the victim's browser session within the application's security context.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to potential session hijacking, credential theft, defacement, or redirection to malicious sites [1][2]. Because the application is also vulnerable to account takeover via other flaws, an attacker could escalate privileges even from a low-privileged account [2].
Mitigation
The manufacturer was notified on 2021-11-02, but as of the public disclosure date (2022-01-13) no fix had been provided and the solution status remained "Open" [1]. No workaround is described in the available references [1][2]. Users should monitor the vendor for a patched version or consider implementing a web application firewall to filter malicious parameters as a temporary measure.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- COINS/Construction Clouddescription
- Range: = 11.12
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-supplied input in URL parameters allows an attacker to break out of HTML attribute and JavaScript contexts."
Attack vector
An attacker crafts a malicious link containing URL-encoded quotation marks (`%22`) and JavaScript payloads in one of the vulnerable parameters (`querySortOrder`, `queryFilterType`, `pvCILevel`, `pvCISibling`, or `TopMenu`). When a victim clicks the link and the page loads, the unsanitized input breaks out of the HTML attribute context and executes the injected script [ref_id=1]. For the activity view parameters, the injection also occurs inside JavaScript, allowing a second payload type that bypasses filters that strip HTML tags [ref_id=1].
Affected code
The advisory identifies two affected views: the search window (parameters `querySortOrder` and `queryFilterType`) and the activity view window (parameters `pvCILevel`, `pvCISibling`, and `TopMenu`). In both views, URL parameters are incorporated into the generated HTML page without neutralization [ref_id=1].
What the fix does
The advisory states the solution status is "Open" and no fix had been published as of the disclosure date [ref_id=1]. The manufacturer was notified on 2021-11-02, but no patch or remediation guidance is provided in the advisory [ref_id=1]. Proper remediation would require neutralizing all user-supplied input before embedding it into HTML attributes and JavaScript contexts.
Preconditions
- authThe victim must be logged into COINS Construction Cloud 11.12 and click a crafted link.
- networkThe attacker must be able to deliver a URL containing malicious payloads to the victim (e.g., via email or a third-party site).
- inputThe vulnerable parameters must be present in the URL when navigating to the search window or activity view window.
Reproduction
Search window: 1. Navigate to a search window within the application. 2. Append `%22%3e%3cscript%3ealert(1)%3c%2fscript%3e` to the value of `querySortOrder` (or `queryFilterType`) in the URL. 3. Visit the page with the modified link. 4. The payload executes once the site loads [ref_id=1]. Activity view window: 1. Navigate to the activity view window. 2. Append `%22-alert(1)-%22` to the value of `pvCILevel`, `pvCISibling`, or `TopMenu` in the URL. 3. The payload executes once the site loads [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloudmitrex_refsource_MISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-052.txtmitrex_refsource_MISC
- www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construction-cloud-erp-syss-2021-028/-029/-030/-031/-051/-052/-053mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.