CVE-2024-22780 - Cross Site Scripting vulnerability in CA17 TeamsACS v.1.0.1 allows a remote attacker to execute arbitrary code via a crafted script to the errmsg parameter.

[fuomag9]

As per #25 I am publishing the security issue I found within your project as there is no way to contact the mantainer of this repository

[Description] Cross Site Scripting vulnerability in CA17 TeamsACS v.1.0.1 allows a remote attacker to execute arbitrary code via a crafted script to the errmsg parameter.

[Vulnerability Type] Cross Site Scripting (XSS)

[Vendor of Product] CA17

[Affected Product Code Base] https://github.com/CA17/TeamsACS - 1.0.1

[Affected Component] errmsg parameter in the /login endpoint

[Attack Type] Remote

[Impact Code execution] true

[Impact Information Disclosure] true

[Attack Vectors] To exploit the vulnerability the victim has to click on a specifically crafted URL (e.g. address:port/login?errmsg={ANY_HTML_TAG})

[Discoverer] @fuomag9

[fuomag9]

Now disclosed at https://www.cve.org/CVERecord?id=CVE-2024-22780 as well

[jamiesun]

thank you, I'll deal with it as soon as I can