Cross-Site Scripting (XSS) vulnerabilities and direct unauthenticated access found in the LumisXP Framework
This publication focuses on the discovery of flaws that allow the execution of arbitrary scripts (HTML/JavaScript) and unauthorized access in applications using LumisXP, without the need for authentication
Cross-Site Scripting (XSS) vulnerabilities and direct unauthenticated access found in the LumisXP Framework
This publication focuses on the discovery of flaws that allow the execution of arbitrary scripts (HTML/JavaScript) and unauthorized access in applications using LumisXP, without the need for authentication
By Rodolfo Tavares and Niklas Corrêa
As part of the Tempest Technical Consulting team’s research results, it was possible to identify and report vulnerabilities affecting LumisXP, which were registered by MITRE under the following identifiers:
- CVE-2024-33326: Cross-Site Scripting (XSS) vulnerability in the `XsltResultControllerHtml.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33327: Cross-Site Scripting (XSS) vulnerability in the `UrlAccessibilityEvaluation.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33328: Cross-Site Scripting (XSS) vulnerability in the `main.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33329: Vulnerability caused by the use of verified fixed GUIDs in LumisXP versions 15.0.x to 16.1.x.
The four flaws exploit different problems, but are related to inadequate input control and the use of fixed GUIDs:
- CVE-2024-33326: Allows the execution of arbitrary scripts by injecting malicious code into the `lumPageID` parameter of the `XsltResultControllerHtml.jsp` page.
- CVE-2024-33327: XSS exploit on the `UrlAccessibilityEvaluation.jsp` page via the `contentHtml` parameter.
- CVE-2024-33328: Allows the execution of arbitrary scripts by injecting malicious code into the `pageId` parameter of the `main.jsp` page.
- CVE-2024-33329: Use of embedded GUIDs that allow unauthorized access to LumisXP internal pages and sensitive information.
By exploiting the flaws described in these CVEs, it becomes possible to execute malicious scripts, obtain sensitive information, and access internal pages of the LumisXP system. All the exploits discussed can be carried out unauthenticated and remotely.
The vulnerabilities addressed in this publication have been reported to Lumis, which has resolved the flaws that were affecting the LumisXP framework. Technical details on the flaws identified are available:
Subscribe to our Newsletter