CVE-2023-41103

Abstract Advisory Information

The feature, to attach a document to a post, is prone to stored Cross-site Scripting (XSS) attacks in several locations allowing an attacker to store a JavaScript payload.

Author: Dominique Righetto

Version affected

Name: Interact Software

Versions: 7.9.79.5

Common Vulnerability Scoring System

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches

No patch available

References

• CVE – CVE-2023-41103 (mitre.org)

Vulnerability Disclosure Timeline

• 20/05/2022: Vulnerability discovery
• 22/05/2022: Vulnerability Report to CERT-XLM
• 05/06/2022: Vulnerability Report to Vendor through investigation
• 05/06/2022: Vulnerability Report to Vendor through investigation
• 13/06/2022: Vulnerability Report to Vendor through investigation
• 20/06/2022: Community account creation asked to InteractSoftware to contact their technical departement
• 20/06/2022: Vulnerability Report to Vendor through investigation
• 20/06/2022: Urge vendor to reply via twitter
• 04/07/2023: Update asking to vendor through investigation
• 04/07/2023: Update asking to vendor for the community account creation
• 15/07/2023: Ticket for a community account creation closed
• 17/07/2023: Reply to help@interact-intranet.com asking for an update
• 19/07/2023: Reply to help@interact-intranet.com asking for an update
• 01/08/2023: Phonecall to +1 (646) 564 5775, gave vendor information for them to reach us back
• 01/08/2023: Phonecall to +1 (646) 564 5775
• 16/08/2023: Phonecall to +1 (646) 564 5775, got redirected to help@interactsoftware.com.
• 16/08/2023: Update asked to help@interactsoftware.com.
• 16/08/2023: Request CVE ID to Mitre
• 23/08/2023: CVE IDs assigned : CVE-2023-41103
• 24/08/2023: Vulnerabilty disclosure