Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in Worklenz version 2.1.5, specifically in the Project Updates feature. An attacker can input malicious JavaScript code into the Updates text field, which is then stored and later displayed without proper sanitization in the Reporting view. When a user views this page, the malicious script executes in their browser, potentially compromising their session or data. [2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to malicious JavaScript executing in the browsers of users who view the affected Reporting page. This can result in session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, or other malicious activities that compromise user security and data integrity. [2]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by attempting to inject a test payload into the Project Updates feature and then checking if it executes in the Reporting view. For example, enter a payload like `<img src=x onerror=alert('XSS')>` in the Updates text field of a project. Then navigate to Reporting → Projects and observe if the alert triggers, indicating the presence of the Stored XSS vulnerability. This manual test effectively detects the vulnerability. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable Project Updates feature until a patch is applied, restricting access to trusted users only, and educating users about the risk of injecting untrusted content. Additionally, you can implement input sanitization or output encoding on the Updates text field to prevent malicious scripts from being stored and executed. Monitoring and reviewing updates from the vendor for patches is also recommended. [2]

Useful 0 Not Useful 0