=======================================================================
title: Stored Cross Site Scripting
product: Sofico Miles RIA
vulnerable version: 2020.2 build 127964T
fixed version: 2020.2 build 128076 or higher
CVE number: CVE-2021-41557
impact: Medium
homepage: https://www.sofico.global
found: 2021-07-09
by: Oualid Lkhaouni (Office Bochum)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Sofico is the world’s leading supplier of mission-critical
software solutions
for automotive finance, leasing, fleet, and mobility management
companies,
and its software is used by a broad range of renowned leasing
companies
all over the world."
Source: https://www.sofico.global/en/about-sofico
Business recommendation:
------------------------
SEC Consult recommends updating to the latest version of Sofico
Miles RIA.
An in-depth security analysis performed by security
professionals is highly
advised, as the software may be affected from further security
issues.
Vulnerability overview/description:
-----------------------------------
1) Stored Cross Site Scripting (CVE-2021-41557)
Miles RIA is a software solution by Sofico that allows leasing
companies to manage
their leasing services on a single platform.
The Miles RIA application is vulnerable to Stored Cross-Site
Scripting (XSS).
An attacker with access to a user account of the RIA IT or the
Fleet role
can create a malicious work order in the damage reports section or
change
existing work orders with malicious JavaScript.
Proof of concept:
-----------------
1) Stored Cross Site Scripting (CVE-2021-41557)
The following payload can be used for the insecure work order
number
parameter of pending work orders in the damage reports section to
inject
and execute malicious JavaScript in the context of the victim.
Once the victim visits the malicious work order, the
attacker-controlled
input gets reflected in the lower left context menu of the loaded
webpage:
1000 <img src=x onerror=alert(document.domain)>
This JavaScript code will then automatically get executed when
the site
which contains the payload is visited by the victim.
Vulnerable / tested versions:
-----------------------------
The following software version has been tested and found to be
vulnerable:
* Miles RIA 2020.2 build 127964T
It is unknown whether previous versions are affected, as the
vendor did not
supply this information.
Vendor contact timeline:
------------------------
2021-07-26: Contacting vendor through
2021-08-24: Contacting vendor through
2021-09-21: Contacting vendor through
2021-11-04: Informing vendor about public advisory release on 9th
November 2021.
2021-11-08: Received info from 3rd party about patches.
2021-11-24: Informing vendor about public advisory release on 29th
November 2021.
2021-11-24: Received more detailed info from 3rd party about
patches.
2021-12-01: Coordination call with vendor.
2021-12-13: Coordinated release of security advisory.
Solution:
---------
The vendor provides patches for the affected product versions:
* Miles RIA 2020.2 build 128076 or higher
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult, an
Atos company. It ensures the continued knowledge gain of SEC
Consult in the
field of network and application security to stay ahead of the
attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration
testing and
the evaluation of new offensive and defensive technologies for our
customers.
Hence our customers obtain the most current information about
vulnerabilities
and valid recommendation about the risk profile of new
technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Oualid Lkhaouni / @2021
