############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Abacus # Vendor: Abacus # CSNC ID: CSNC-2019-024 # CVE ID: CVE-2019-19381 # Subject: Reflected Cross-Site Scripting # Risk: High # Effect: Remotely exploitable # Author: Ville Koch # Date: 28.11.2019 # ############################################################# Introduction: ------------- Abacus is an owner-managed Swiss software company that employs around 460 people. For over three decades it has developed successful business software. [1] Compass Security discovered a security flaw in Abacus, which allows injecting client-side code into the application. Affected (According to vendor): --------- * v2019 prior to R4 (20.11.2019 Hotfix) [2] * v2018 prior to R6 (20.11.2019 SP) running with AbaWebserver (jetty) instead of AbaSioux Not affected (According to vendor): ------------- * All versions running with AbaSioux and not using AbaWebServer (jetty) Technical Description --------------------- Users, are able to specify their own error messages for failed login requests. These messages can be manipulated to contain JavaScript code, which is executed in the context of the user's browser when visited. Request: https:///oauth/oauth2/v1/saml/ Resulting HTML source code:

HTTP Error 500

/oauth/oauth2/v1/saml/

Server Error
Workaround / Fix: ----------------- This issue can be fixed by properly encoding user-provided input when displayed back to the user. Timeline: --------- 2019-11-06: Discovery by Ville Koch 2019-11-11: Initial vendor notification 2019-11-11: Initial vendor response 2019-11-15: Release of Patch 2019-11-28: Requested CVE ID 2019-11-28: Assigned CVE-2019-19381 2020-03-09: Coordinated public disclosure date References: ----------- [1] https://www.abacus.ch/de/unternehmen/das-ist-abacus/ [2] https://classic.abacus.ch/downloads-page/servicepacks/version-2019/