CVE-2022-29296

Vulnerability

Avantune Genialcloud ProJ version 10 (and potentially other Avantune products such as Facsys and Analysis) contains a reflected cross-site scripting (XSS) vulnerability in the login portal's error message handling. The msg request parameter is echoed unsanitized into the page's JavaScript, as demonstrated by the PoC request GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F [1]. No authentication is required to reach this endpoint.

Exploitation

An attacker can craft a malicious URL containing a payload in the msg parameter and deliver it (e.g., via phishing or link injection) to any user with access to the Genialcloud ProJ login portal. The victim's browser executes the injected script immediately upon loading the page, without requiring any user interaction beyond clicking the link. The PoC demonstrates successful injection of an alert() call [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary web scripts or HTML in the context of the victim's browser session. This can lead to information disclosure (e.g., session tokens, cookies), page content manipulation, or redirection to malicious sites, compromising the confidentiality and integrity of the user's interaction with the application [1][2].

Mitigation

No official fix from the vendor (Avantune) was available at the time of public disclosure (2022-06-01). The vendor was contacted multiple times between January and May 2022 but did not respond [1]. Until a patched version is released, administrators should implement a web application firewall (WAF) rule to sanitize the msg parameter or restrict access to the login portal to trusted networks. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.