Reflected Cross-Site Scripting in Numerix License Server Administration System Login

Title

Reflected Cross-Site Scripting

Product

Numerix License Server Administration System Login

Vulnerable Version

1.1_596

Fixed Version

-

CVE Number

CVE-2024-50585

Impact

medium

Homepage

https://connect.numerix.com/nlslogin.jsp

Found

05.04.2024

By

Daniel Hirschberger (Office Bochum) | SEC Consult Vulnerability Lab

The login page of Numerix's License Server Administration System is vulnerable to Reflected Cross-Site Scripting (XSS) which allows an attacker to execute arbitrary JavaScript in the browser of a victim.

Vendor description

"Founded in 1996, Numerix has over 19 offices, 700 clients and 90 partners across more than 26 countries. Numerix is recognized across  he industry for its many breakthroughs in quantitative research and is proud of its reputation for being able to price and risk manage any derivative instrument – vanillas to the most sophisticated exotic products."

Source: https://www.numerix.com/about-numerix

Business recommendation

The vendor was unresponsive during multiple attempts to contact them via various channels, hence there is no solution available. In case you are using this software, be sure to restrict access and monitor logs. Try to reach out to your contact person for this vendor and request a patch.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Reflected Cross-Site Scripting (CVE-2024-50585)

Users who click on a malicious link or visit a website under the control of an attacker can be infected with arbitrary JavaScript which is running in the context of the "Numerix License Server Administration System Login". (FQDN: connect.numerix.com)

Proof of concept

1) Reflected Cross-Site Scripting (CVE-2024-50585)

This vulnerability can be triggered by sending the following POST request:

[ redacted ]

The server responds with the injected JavaScript code which is then executed in the browser of the victim.

Figure 1: Cross site scripting

Vulnerable / tested versions

This vulnerability was identified on 5th April 2024. The following version seems to be affected:

  • 1.1_596, powered by Orion v2.5.10-083015, Agilis Software

Vendor contact timeline

2024-04-08 Contacting vendor through support@numerix.com; no response
2024-04-24 Contacting vendor through support@numerix.com; no response
2024-05-06 Contacting vendor through sales@numerix.com; no response
2024-05-28 Found out that the page might be part of a solution which is developed by agilis-sw.com; contacted them via info@agilis-sw.com; no response
2024-07-18 Contacted again via info@agilis-sw.com; no response
2024-10-22 Contacting support@numerix.com, sales@numerix.com and license@numerix.com again, asking for a security contact. Contacting CEO of Agilis Software via LinkedIn connection request. No response from all channels.
2024-10-28 Asking CERT/CC for coordination support
2024-11-18 CERT/CC will not handle this case, recommending to go through with public disclosure
2024-12-11 Public disclosure of advisory.

Solution

The vendor was unresponsive during multiple attempts to contact them via various channels, hence there is no solution available. In case you are using this software, be sure to restrict access and monitor logs. Try to reach out to your contact person for this vendor and request a patch.

Workaround

None

Advisory URL

https://r.sec-consult.com/numerix

 

EOF Daniel Hirschberger / @2024
 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back