CVE-2022-24967

Vulnerability

Black Rainbow NIMBUS versions prior to 3.7.0 contain a stored Cross-site Scripting (XSS) vulnerability. The application does not properly sanitize user input when creating or updating case data, allowing an attacker to store arbitrary HTML and JavaScript that will be executed in the browsers of other users viewing that content. [1]

Exploitation

An attacker with access to create or modify case data in NIMBUS (which may be any authenticated user depending on the deployment) can insert malicious script payloads into fields such as case descriptions or notes. When an administrator or other user views the crafted case, the script executes in their browser session, no further user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation enables the attacker to perform actions within the context of the victim's session, such as exfiltrating session cookies, performing unauthorized actions, or defacing displayed content. The impact is limited by the browser's same-origin policy but can lead to account takeover or information disclosure if the victim has higher privileges. [1]

Mitigation

Black Rainbow has addressed the issue in NIMBUS version 3.7.0. Users running an earlier version should upgrade to 3.7.0 or later. No workarounds have been publicly documented. [1]