Advertisement






Genesys PureConnect - Interaction Web Tools XSS

CVE Category Price Severity
CVE-2020-7337 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-09-15
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022090038

Below is a copy:

Genesys PureConnect - Interaction Web Tools XSS
Product: Genesys PureConnect - Interaction Web Tools Chat Service
Description: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.
Vulnerability Type: XSS
Vendor of Product: Genesys PureConnect
Affected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current release (26-September-2019)
Affected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdf
Attack Vectors:
To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html 
Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script>
Then press 'Start Chat'
Then enter anything in the chat box like 'asdfg' and press send
Now select the 'Printable Chat History' in the top right corner
XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html" 

I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.