CVE-2022-26155

Vulnerability

Cherwell Service Management (CSM) version 10.2.3 contains a stored cross-site scripting (XSS) vulnerability in the SAML single sign-on handling. An attacker can inject arbitrary JavaScript code via the SAMLResponse parameter in an HTTP POST request body. The code is stored and later executed when an administrator views the SAML response log, as described in [1] and [2].

Exploitation

To exploit the vulnerability, an attacker must be able to send a crafted HTTP POST request to the CSM web application with a malicious payload in the SAMLResponse field. No prior authentication is required if the SAML endpoint is publicly accessible. The payload is executed when an administrator with access to the SAML response log loads the affected page [2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of an authenticated administrator's browser session. This can lead to theft of session cookies, redirection to attacker-controlled sites, or forced actions on behalf of the administrator, potentially compromising the entire CSM instance [1].

Mitigation

The issue was fixed in Cherwell Service Management version 10.4.0, released as part of the Ivanti platform [1]. Users should upgrade to CSM 10.4.0 or later. No workaround is provided; upgrading is the only recommended mitigation. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [2].