############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: TeamMate+ Audit (TeamStore) # Vendor: Wolters Kluwer # CSNC ID: CSNC-2022-002 # Subject: Cross-Site Scripting # Severity: Medium # Effect: Cross-Site Scripting # Author: Adrian Kress # Date: 2022-01-31 # ############################################################# Introduction ------------ TeamMate+ Audit is a comprehensive audit management system that helps auditors and audit department leadership streamline all aspects of the audit process. TeamMate provides organizations across the globe with the tools to identify risk and create assessment reports, create and manage audits, schedule projects and allocate resources, capture time and expenses, track audits and issues via an advanced electronic working papers database. [1] In a customer project, we were able to store malicious JavaScript code in the documentation of a folder in the TeamStore. Due to the fact that TeamMate+ Audit (version July 2021) implements no encoding on this output, this leads to cross-site scripting. Technical Description --------------------- An attacker can insert the following JavaScript code under TeamStore -> New Cabinet -> New Folder -> Documentation: Once another user visits the page with the malicious JavaScript code in the documentation, the injected code is executed. This could be abused, to, e.g., redirect the victim to a phishing page. Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [2]: - CVSS Base Score: 5.4 (Medium) - CVSS Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Workaround / Fix ---------------- Upgrade TeamMate+ Audit to the November 2021 version. Timeline -------- 2021-10-01: Vulnerability discovered 2021-10-06: Informed developer about the vulnerability 2021-11-01: Developer released version with the fixed vulnerability 2022-01-31: Public disclosure References ---------- [1] https://www.wolterskluwer.com/en/solutions/teammate/teammate-audit [2] https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N