CVE-2023-37613

Vulnerability

A DOM-based cross-site scripting (XSS) vulnerability exists in Assembly Software Trialworks v11.4 [1]. The vulnerability is triggered via the asset src parameter, where a crafted payload can be injected to modify the DOM environment in the victim's browser. The issue was discovered through manual testing of HTTP requests and verified using the Dalfox XSS finder tool [1].

Exploitation

An attacker can send a crafted payload to the vulnerable src parameter. When a victim interacts with the resulting page, the malicious script executes in the context of the victim's browser. No authentication is required; the attacker only needs to deliver the malicious link to the target user [1].

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts or HTML in the victim's browser, leading to potential information disclosure, session hijacking, or defacement. The impact is client-side and can affect any user who accesses the crafted URL [1].

Mitigation

No official patch has been released as of the publication date (2023-07-24). The vendor has not provided a fixed version. The recommended mitigation is to sanitize all untrusted input, especially user-supplied data affecting DOM elements. If possible, avoid using user input directly in HTML attributes or other code contexts [1].