PT-2024-30: Stored DOM-Based Cross-Site Scripting (stored DOM XSS) in Passwork

Vendor: Passwork

Vulnerable product: Passwork

Vulnerable version: 6.4.0

Vulnerability type:

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Identifier (ID):

• BDU:2024-08021

Vulnerability vector:

• Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

• Severity (CVSSv3.1): 5.8 (medium)

• Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

• Severity (CVSSv4.0): 4.6 (medium)

Description:

The vulnerability was identified in Passwork version 6.4.0. The application does not process the data received from the user, which is necessary for safety use during web page formation.
Exploitation of the vulnerability is possible for an authorized user and leads to the possibility of executing arbitrary JavaScript code in victim's browser.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 09.10.2024

Recommendations:

• Update to version 6.4.3 or higher

Additional information: Aleksey Solovev (Positive Technologies)