CVE-2022-26156

Vulnerability

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The RelayState= parameter of the HTTP request body is susceptible to injection of a malicious payload, leading to form-action hijacking. The application places user-supplied input directly into the action URL of an HTML form without proper sanitization. Affected versions include CSM 10.2.3 and possibly earlier versions; the fix is included in version 10.4.0, as per the release notes [1] [2].

Exploitation

An attacker must craft a URL containing a malicious payload in the RelayState= parameter. If another application user visits this crafted URL, the action URL of an HTML form will be modified to point to the attacker's server. No special network position or authentication is required beyond the ability to deliver the URL to a victim (e.g., via phishing or a link). The victim's interaction with the affected form triggers the hijack [2].

Impact

On successful exploitation, the attacker redirects form submissions to their own server, potentially capturing sensitive data (e.g., credentials, session tokens) that the victim submits through the form. This is a confidentiality impact, with the attacker able to steal information intended for the legitimate application [2].

Mitigation

The vulnerability is fixed in Cherwell Service Management version 10.4.0, released in early 2022 [1]. Users on version 10.2.3 or earlier should upgrade to the patched release or later. No official workaround has been published. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.