Stored Cross-Site Scripting in Omada Identity

Title

Stored Cross-Site Scripting

Product

Omada Identity

Vulnerable Version

<v15U1, <v14.14 hotfix #309

Fixed Version

v15U1, v14.14 hotfix #309

CVE Number

CVE-2024-52951

Impact

medium

Homepage

https://omadaidentity.com/products/omada-identity/

Found

20.03.2024

By

Daniel Hirschberger (Office Bochum) | SEC Consult Vulnerability Lab

The web application Omada Identity suffered from a stored cross-site scripting vulnerability which allowed authenticated users to execute arbitrary JavaScript in the browsers of other users if they clicked on a malicious link.

Vendor description

"Omada Identity is a modern, enterprise-ready IGA solution that is deployed on-premises, giving you full control over your data and security. Our solution is easy to use, highly customizable, and gives you complete visibility into your environment without having to write a single line of code but is completely customizable to address any requirement. With built-in automation features, Omada Identity can help you streamline your workflows, improve efficiency, and strengthen your security posture."

Source: https://omadaidentity.com/products/omada-identity/

Business recommendation

Upgrade to version v15U1 or install hotfix #309 for v14.14. 

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Stored Cross-Site Scripting (CVE-2024-52951)

An authenticated user can inject JavaScript in the "Request Reason". The injected JavaScript code will be executed if another user looks at the "History" of this access request. An attacker can then execute arbitrary JavaScript in the browser of other users which could for example be used for phishing attacks. 

Proof of concept

1) Stored Cross-Site Scripting (CVE-2024-52951)

An authenticated user can submit an access request and has to specify a reason why the access should be provided.

Figure 1: Submitting an access request with a JavaScript payload

This request has to be intercepted and modified, e.g.:

POST /workitemdlg.aspx?ACTTEMP=XXX&RURLID=YYY HTTP/1.1
Host: $SERVER
Cookie: oissessionid=$MYSESSION
[...]
Content-Type: application/x-www-form-urlencoded

[...]
1000104=Need+hello+access+and+bigfun<iframe+src=javascript:alert(document.domain)></iframe>&1000102=I+would+like+to+request+access+to+%5Bspecify+system%5D+so+I+can+perform+my+%5Bspecify+duties%5D+duties+related+to+my+work+as+a+%5Bspecify+position%5D.
[...]

Afterwards, anyone who reviews the "History" of this access request will be affected by the stored JavaScript code. Users who review the history requests are usually managers who have to approve this request, so this vulnerability allows reliably affecting higher-privileged users.

Figure 2: Triggering the XSS payload

Vulnerable / tested versions

The following version of the on-prem solution has been tested which was the latest version available at the time of the test:

  • 14.0.14.36

Previous versions of v14.14 hotfix #309 are affected according to the vendor, as  well as <v15U1.

Vendor contact timeline

2024-04-08 Contacting vendor through contract@omadaidentity.com; no response.
2024-04-24 Contacting vendor through contract@omadaidentity.com and info@omadaidentity.com; no response.
2024-05-06 Contacting vendor through their "Contact Us" form; We were contacted by Sales and forwarded the email to them.
2024-05-08 CISO contacts us, we sent the advisory via provided SharePoint link.
2024-05-13 Vendor confirms security issues. XSS is fixed now and Hotfixes are created for their releases. Second finding was disputed and seems to be a misconfiguration. Removed issue 2 from advisory.
2024-05-27 Asking for a status update regarding XSS hotfixes.
2024-05-27 Vendor - May cloud update is scheduled for 29th May. On-prem release version v15U1 is planned for 12th June. Hot-fix for on-prem version 14.14 is also planned for 12th June.
2024-06-17 Asking if Hotfix is released
2024-06-21 Vendor - Hotfix #309 for v14.14 is released
2024-06-24 Vendor - asks if we are satisfied with the follow-up We agree and respect the wish to delay the publication of the advisory for at least one month.
2024-10-08 Asking vendor regarding CVE assignment.
2024-10-11 Vendor is waiting for internal confirmation regarding next steps, update hopefully next week.
2024-10-31 Vendor responds with calculated CVSS vectors and asks for our opinions; We agree that the CVSS Base Score looks correct and ask to clarify if they want to register the CVE themselves or if we as a CNA should register it for them.
2024-11-18 Received CVE number from vendor; We provide our CVE details to the vendor and ask them to update the CVE entry.
2024-11-22 Vendor notifies us about the CVE update, gives us a green light for the publication and thanks us for our cooperation; We mention that we will publish it in the following week and also thank the vendor.
2024-11-27 Release of security advisory.

Solution

Upgrade to version v15U1 or install hotfix #309 for v14.14.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Daniel Hirschberger / @2024
 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back