CVE-2021-47725

Vulnerability

Description

STVS ProVision 5.9.10 suffers from a reflected cross-site scripting (XSS) vulnerability in the 'files' POST parameter. The application fails to properly sanitize user input before reflecting it back in the response, allowing an authenticated attacker to inject arbitrary HTML or JavaScript code [1][3]. This issue affects multiple versions of the software, including 5.9.10, 5.9.9, and earlier releases [4].

Exploitation

An attacker with valid credentials can craft a malicious POST request to the /archive/download endpoint with a payload in the files parameter. For example, sending files=<script>alert(document.URL)</script> triggers execution of the script in the victim's browser when the response is rendered [3]. The vulnerability is reflected, meaning the payload is immediately executed in the context of the affected site without requiring additional interaction beyond rendering the response [4].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the browser session of any user who receives the crafted response. This can lead to session hijacking, defacement, or theft of sensitive information within the context of the STVS ProVision application [1][4]. Because the attacker must be authenticated, the attack surface is limited to authenticated users, but the impact is still significant for organizational deployments.

Mitigation

Status

As of the publication date, no official patch has been released by the vendor. The vulnerability was disclosed by Zero Science Lab on January 19, 2021, after the vendor failed to respond within a reasonable timeframe [1]. Affected versions include 5.9.10, 5.9.9, 5.9.7, 5.9.1, 5.9.0, 5.8.6, 5.7, 5.6, and 5.5 [3][4]. Administrators should consider applying input validation or upgrading to a patched version if one becomes available.