CVE-2019-18664: Reflected XSS in DOMOS

Overview

  • Vendor: SECUDOS GmbH
  • Product: DOMOS
  • Version: 5.5
  • Vulnerability: Relected Cross-Site Scripting
  • Fixed Version: 5.6

Background

DOMOS is an own and hardened operating system of SCUDOS GmbH. The operating system is used as a platform by several applications. It also offers a web interface for the administration of operating system settings.

Issue Description

While analyzing the implementation of the DOMOS web interface, one reflected Cross-Site-Scripting vulnerability has been identified, which can be exploited in order to read password hashes from the file system. This vulnerability can be exploited by authenticated attackers with access to the web interface.

Please consider the following complete HTTP-Request:

HTTP-Request

CVE

CVE-2019-18664

CVSSv3 Base Score

CVSS Base Score: 3.5

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 SVA System Vertrieb Alexander GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Co-Author:

Pascal Keul