CVE-2021-47920

Vulnerability

Overview

WebMO Job Manager 20.0 contains a reflected cross-site scripting (XSS) vulnerability in its search functionality. The application fails to properly sanitize user input supplied to the filterSearch and filterSearchType parameters, allowing an attacker to inject arbitrary HTML or JavaScript code [1][3]. This is a non-persistent (reflected) XSS issue, meaning the malicious payload is only active when a victim visits a specially crafted URL.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing the injected script in the search parameters and tricking a user into clicking it. No authentication is required to trigger the vulnerability, but user interaction (e.g., clicking the link) is necessary for the attack to succeed [1]. The attack surface is remote, as the crafted URL can be delivered via email, social media, or other channels.

Impact

Successful exploitation allows the attacker to execute arbitrary script in the context of the victim's browser session. This can lead to session hijacking, where the attacker steals the victim's authentication cookies and gains unauthorized access to the WebMO Job Manager interface. Additionally, the attacker can perform external redirects, potentially leading to phishing attacks or other malicious activities [3].

Mitigation

The vendor has been notified and a fix was reportedly developed, though the exact patched version is not specified [1]. Users of WebMO Job Manager 20.0 should upgrade to the latest available version or apply input validation and output encoding to the affected parameters as a workaround. As of the publication date, no evidence of active exploitation in the wild has been reported.