ITM Server Cross-site Scripting in WriteWindowTitle Endpoint

Vulnerability

The WriteWindowTitle endpoint in the Proofpoint Insider Threat Management (ITM) Server web console is vulnerable to a reflected cross-site scripting (XSS) flaw. This affects all versions prior to 7.14.3.69 [1]. The vulnerability allows an authenticated administrator to inject arbitrary JavaScript that is reflected back to the browser of another authenticated administrator viewing the console. The issue exists in the web console component of the ITM Server.

Exploitation

An attacker must have valid administrator credentials to the ITM Server web console. The attacker crafts a malicious URL containing the script payload in the WriteWindowTitle parameter. When a second authenticated administrator clicks the crafted link or is redirected to it, the injected JavaScript executes in the context of the victim's browser session. No additional user interaction beyond following the link is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim administrator's browser. This could lead to actions such as exfiltration of session tokens, manipulation of console settings, or performing other administrative actions on behalf of the victim. The impact is limited to the web console context, but because the victim has administrative privileges, the attacker's script can perform any action the victim can.

Mitigation

Proofpoint ITM Server version 7.14.3.69 and later contain the fix for this vulnerability [1]. Administrators should upgrade to this version or newer. No workarounds are documented for unpatched installations. Those running unsupported or end-of-life versions are advised to upgrade to a supported release.