CVE-2023-50092

Vulnerability

APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 (tested on v2023.2.2) contains a reflected cross-site scripting (XSS) vulnerability in the login page. The requestBeforeLogin hidden input field does not encode double quotes, allowing an attacker to inject arbitrary HTML attributes and JavaScript code into the input element [2]. The application strips < and > characters, preventing the injection of opening or closing tags, but quotes remain unaffected [2]. This enables attribute injection even within the hidden field.

Exploitation

An attacker must have network access to the API Gateway Manager instance (typically exposed on a network). No authentication is required because the vulnerability exists on the login page. The attacker crafts a URL with a malicious requestBeforeLogin parameter value that includes double quotes and new attributes, e.g., test" autofocus onfocus="alert(1)". When a victim visits this URL, the injected attribute is rendered in the hidden input field [2]. Since the input is hidden, common events like onmouseover do not trigger; however, an attacker can use autofocus combined with onfocus to execute JavaScript when the element receives focus [2]. The browser loads the page and fires the event, causing arbitrary code execution in the victim's session.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the API Gateway Manager domain [2]. This can lead to session theft, credential harvesting, or further attacks against the management interface. The impact is limited to the user's interaction with the login page; the attacker does not gain direct access to the backend system. The CIA outcome is primarily confidentiality and integrity compromise at the user level.

Mitigation

As of January 2024, the vendor has not publicly released a fix [1]. Users should monitor the vendor's release notes for a patched version. In the absence of a patch, workarounds include restricting network access to the login page (e.g., by placing it behind a VPN or firewall), and training users to avoid clicking untrusted links. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.