ITM Server Cross-site Scripting in UpdateInstalledSoftware Endpoint

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the UpdateInstalledSoftware endpoint of the Insider Threat Management (ITM) Server's web console [1]. An authenticated administrator can inject arbitrary JavaScript that will be reflected back and executed in the browser of another authenticated administrator. All versions prior to 7.14.3.69 are affected [1]. No special configuration beyond default deployment is required for the vulnerable code path to be reachable.

Exploitation

An attacker must be an authenticated administrator on the ITM Server web console [1]. The attacker crafts a malicious URL containing the payload and delivers it to another authenticated administrator (e.g., via email or internal messaging). When the victim administrator opens the crafted URL, the injected JavaScript executes in the context of the victim's session within the UpdateInstalledSoftware endpoint [1]. No further user interaction beyond opening the link is required.

Impact

Successful exploitation allows the attacker to run arbitrary JavaScript within the target administrator's browser [1]. This can lead to unauthorized actions performed under the victim's session, including but not limited to data exfiltration, modification of settings, or further lateral movement within the ITM console. The scope of compromise is limited to the privileges of the victim administrator.

Mitigation

Proofpoint released version 7.14.3.69 which addresses the vulnerability [1]. All customers are strongly recommended to upgrade to this version or later. No workarounds are documented in the available reference. There is no indication of inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog.