Unrated severityNVD Advisory· Published Apr 14, 2022· Updated Aug 4, 2024

CVE-2021-45228

Description

An XSS issue was discovered in COINS Construction Cloud 11.12. Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description. This is later executed when it is reflected back to the user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in COINS Construction Cloud 11.12 via task description allows attackers to execute arbitrary JavaScript when users view the task.

Vulnerability

The COINS Construction Cloud version 11.12 is affected by a stored cross-site scripting (XSS) vulnerability in the Activity Workbench component. Due to insufficient neutralization of user input in the task description field, an attacker can inject malicious JavaScript code that is permanently stored on the server and later executed when the task information is reflected to a user. [1]

Exploitation

An attacker with access to the application can create a task with a malicious payload in the description field. The JavaScript code must be linked to an HTML event to be executed. The attacker can also assign tasks to other users, forcing them to view the malicious content. When the victim views the task, the injected script executes in the context of their browser session. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the victim's browser. This can lead to data theft (e.g., session cookies, sensitive information), defacement, or actions performed on behalf of the victim within the COINS application. The risk level is assessed as high. [1]

Mitigation

As of the disclosure date (2022-01-13), no official fix has been released by the vendor. The manufacturer was notified on 2021-11-02, but no solution date has been provided. Users should consider restricting access to the Activity Workbench or implementing additional input validation and output encoding as a workaround. The vulnerability remains unpatched. [1]

References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-031.txt

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

COINS/Construction Clouddescription
COINS Construction Cloud/COINS Construction Cloudllm-fuzzy
Range: =11.12

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient neutralization of user input in the task description field allows stored cross-site scripting."

Attack vector

An attacker creates a new task in the Activity Workbench and inserts malicious HTML/JavaScript into the task description field, using an HTML event attribute such as "onmouseover" to trigger execution. The attacker can assign the task to another user, ensuring the payload is delivered directly to a victim. When the victim opens the Actions Menu for that task and hovers over the description, the stored JavaScript executes in the victim's browser session [ref_id=1].

Affected code

The vulnerability resides in the task description field within the Activity Workbench module of COINS Construction Cloud 11.12. The advisory does not specify a particular source file or function, but the input is stored and later reflected when a user views a task's "Actions Menu" [ref_id=1].

What the fix does

The advisory states that no fix has been provided by the vendor as of the disclosure date [ref_id=1]. Without a patch, the recommended remediation would be to properly sanitize or encode user-supplied HTML in the task description field before storing it and before reflecting it back to users, preventing the execution of arbitrary script content.

Preconditions

authAttacker must have access to create tasks in the Activity Workbench
inputVictim must open the Actions Menu for the attacker-created task and hover over the description

Reproduction

1. Open the landing page of COINS Construction Cloud. 2. Open Activity Workbench. 3. Create a new task. 4. Select a user to assign the task to. 5. Insert HTML code such as `hover-me` into the task description (using an event like `onmouseover`). 6. Save the task. 7. Reload the page and open the "Actions Menu". 8. The JavaScript code executes when the user hovers over the task description [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloudmitrex_refsource_MISC
www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-031.txtmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000