/
XSS vulnerability in Digital Access
Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

XSS vulnerability in Digital Access

Owned by Ylva Andersson
Last updated: yesterday at 3:08 pmVersion comment
2 min read

Latest update date of this article:
2025-01-23

General information

An XSS vulnerability has been discovered in Nexus Digital Access.

A URL query parameter on the password reset page in self-service is vulnerable to XSS injection. This means that if the session cookies are not configured in a secure manner an evil attacker could craft a link that can give access to sensitive information and possibly overtaking the session. In order to exploit this an authenticated user must be tricked to visit a vulnerable link.

Versions affected

All Digital Access versions currently not EOL are affected by this vulnerability.

Step-by-step instruction to resolve and remove the vulnerability

  1. Make sure that cookies are handled securely. In the Administration service: Go to Manage System > Access Points > Manage Global Access Point Settings > Advanced settings
    The following checkboxes must be checked:

Session control DA.png

  1. Click Browse in the upper right corner of the window.

  2. Locate the passwordSet.js file under access-point/built-in-files/wwwroot/wa/scripts

  3. Click the edit symbol (sheet with a pencil) and edit the file as explained below:

    1. In the method loadPage locate this row:
      $(".form-message").html( decodeUrlParameter(decodeURI( message ) )) ;

      Change it (by replacing html with text) to:
      $(".form-message").text( decodeUrlParameter(decodeURI( message ) )) ;

    2. In the method displaySuccessMessage locate this row:
      $(".form-message").html( decodeUrlParameter( message ) );

      Change it (by replacing html with text) to:

      $(".form-message").text( decodeUrlParameter( message ) );

  4. Click Save and close the browser window.

  5. Click Publish (it may not be blue at this point but it will still work).

  6. Validate the fix by visiting the following link:

https://<your dns name>/wa/passwordSet.html?userID=testuser</script>&phoneNumber=&message=<script>alert(%27if%20this%20is%20shown%20in%20a%20popup%20the%20system%20is%20not%20safe.%20If%20it%20is%20shown%20in%20the%20web%20page%20the%20system%20is%20safe%27);</script>

The dns name must be modified to the server dns name.

A popup should not be shown and if this is the case the system is no longer vulnerable for this issue.

Contact Nexus support for more details.

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions