LigeroSmart 6.1.26: Cross-site scripting in AgentDashboard

Summary

An attacker can inject malicious code into LigeroSmart's dashboard by manipulating certain inputs, potentially allowing them to steal sensitive information or take control of user sessions. This vulnerability can be exploited remotely and is now being used by attackers. Users of LigeroSmart 6.1.26 should update to a fixed version as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
ligerosmart	ligerosmart	<= 6.1.26	–

Original title

A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results...

Original description

A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

nvd CVSS2.0 4.0

nvd CVSS3.1 6.1

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

CWE-94 Code Injection

https://github.com/LigeroSmart/ligerosmart/ Product
https://github.com/LigeroSmart/ligerosmart/issues/284 Exploit Issue Tracking Third Party Advisory
https://github.com/LigeroSmart/ligerosmart/issues/284#issue-3879280231 Exploit Issue Tracking Third Party Advisory
https://vuldb.com/?ctiid.346156 Permissions Required VDB Entry
https://vuldb.com/?id.346156 Third Party Advisory VDB Entry
https://vuldb.com/?submit.749788 Exploit Third Party Advisory VDB Entry