Vendor description
"Sofico is the world’s leading supplier of mission-critical software solutions for automotive finance, leasing, fleet, and mobility management companies, and its software is used by a broad range of renowned leasing companies all over the world."
Source: www.sofico.global/en/about-sofico
Business recommendation
SEC Consult recommends updating to the latest version of Sofico Miles RIA.
An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.
Vulnerability overview/description
1) Stored Cross Site Scripting (CVE-2021-41557)
Miles RIA is a software solution by Sofico that allows leasing companies to manage their leasing services on a single platform.
The Miles RIA application is vulnerable to Stored Cross-Site Scripting (XSS). An attacker with access to a user account of the RIA IT or the Fleet role can create a malicious work order in the damage reports section or change existing work orders with malicious JavaScript.
Proof of concept
1) Stored Cross Site Scripting (CVE-2021-41557)
The following payload can be used for the insecure work order number parameter of pending work orders in the damage reports section to inject and execute malicious JavaScript in the context of the victim. Once the victim visits the malicious work order, the attacker-controlled input gets reflected in the lower left context menu of the loaded webpage:
1000 <img src=x onerror=alert(document.domain)>This JavaScript code will then automatically get executed when the site, which contains the payload, is visited by the victim.
Vulnerable / tested versions
The following software version has been tested and found to be vulnerable:
- Miles RIA 2020.2 build 127964T
It is unknown whether previous versions are affected, as the vendor did not supply this information.