Thinfinity VirtualUI version 184.108.40.206 suffers from an iframe injection vulnerability.
advisories | CVE-2021-45092
Exploit Title: Thinfinity VirtualUI 220.127.116.11 - IFRAME Injection
Exploit Author: Daniel Morales
Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/>
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).
The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed.
It has been tested in VirtualUI version 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11.