Authored by Daniel Morales

Thinfinity VirtualUI version suffers from an iframe injection vulnerability.

advisories | CVE-2021-45092

Exploit Title: Thinfinity VirtualUI  - IFRAME Injection
Date: 16/12/2021
Exploit Author: Daniel Morales
Vendor: <>
Software Link: <>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
CVE: CVE-2021-45092

How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).

The vulnerable vector is " <> " where "vpath=//" is the pointer to the external site to be iframed.

Vulnerable versions
It has been tested in VirtualUI version,,,, and

References <> <> <>