CVE-2021-45227

Vulnerability

The vulnerability is a persistent cross-site scripting (XSS) in COINS Construction Cloud version 11.12. The file upload functionality inappropriately uses HTML IFRAME elements, allowing an attacker to upload a file containing malicious JavaScript that gets executed when other users view the uploaded content. The affected version is 11.12 as tested [1].

Exploitation

An attacker needs to be able to upload files to the system. No special privileges are mentioned; presumably any authenticated user with file upload permissions can exploit this. The attacker uploads a crafted file containing an IFRAME element with malicious script. When other users access the uploaded file, the script executes in their browser context.

Impact

Successful exploitation leads to persistent XSS, meaning the injected script runs each time the malicious file is viewed. The attacker can perform actions on behalf of the victim, steal session cookies, or deface content. The impact is within the web application's security context.

Mitigation

As of the advisory publication (2022-01-13), no fix was available. The manufacturer was notified on 2021-11-02 but no solution date was provided [1]. Users should monitor for updates from COINS. No workaround is mentioned. The vulnerability is not listed in CISA KEV as of this writing.