Home Tools Exploits & CVE's Financials By Coda Cross Site Scripting

Financials By Coda Cross Site Scripting

March 19, 2024

Financials by Coda versions prior to 2023Q4 suffer from a cross site scripting vulnerability.

advisories | CVE-2024-28734

# Vulnerability type: Cross-site Scripting
# Vendor: https://www.unit4.com/
# Product: Financials by Coda
# Product site: https://www.unit4.com/fr/products/financial-management-software
# Affected version: < 2023Q4
# Fixed version: 2023Q4
# Credit: Léo DRAGHI
# CVE: CVE-2024-28734

# PROOF OF CONCEPT
The /coda/frameset endpoint, accessible by any unauthenticated user, reflects the value of the cols parameter. 
Since this value is not properly sanitized and encoded when the web page is rendered, this could allow a malicious actor to execute JavaScript code in the context of another user's browser by only sending to a victim a malicious link.

GET /coda/frameset?cols="><frame%20src="javascript:alert('XSS')"> HTTP/2
Host: <target>

# TIMELINE
– 30/10/2023: Vulnerability found
– 02/11/2023: Vendor informed
– 05/12/2023: Vendor fixed the issue
– 14/03/2024: Public disclosure

Financials By Coda Cross Site Scripting

Follow us on Instagram @thecyberpost

EDITOR PICKS

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Gambio Online Webshop 4.9.2.0 Remote Code Execution

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

crewjam/saml Signature Bypass

Sentrifugo 3.2 Shell Upload / Restriction Bypass

Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read