CVE-2023-41103

CVE-2023-41103

by mrahier96

Abstract Advisory Information

The feature, to attach a document to a post, is prone to stored Cross-site Scripting (XSS) attacks in several locations allowing an attacker to store a JavaScript payload.

Author: Dominique Righetto

Version affected

Name: Interact Software

Versions: 7.9.79.5

Common Vulnerability Scoring System

CVSS SCORE 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patch

No patch available

References

CVE – CVE-2023-41103 (mitre.org)

Vulnerability Disclosure Timeline

    • 20/05/2022: Vulnerability discovery
    • 22/05/2022: Vulnerability Report to CERT-XLM
    • 05/06/2022: Vulnerability Report to Vendor through investigation
    • 05/06/2022: Vulnerability Report to Vendor through investigation
    • 13/06/2022: Vulnerability Report to Vendor through investigation
    • 20/06/2022: Community account creation asked to InteractSoftware to contact their technical departement
    • 20/06/2022: Vulnerability Report to Vendor through investigation
    • 20/06/2022: Urge vendor to reply via twitter
    • 04/07/2023: Update asking to vendor through investigation
    • 04/07/2023: Update asking to vendor for the community account creation
    • 15/07/2023: Ticket for a community account creation closed
    • 17/07/2023: Reply to help@interact-intranet.com asking for an update
    • 19/07/2023: Reply to help@interact-intranet.com asking for an update
    • 01/08/2023: Phonecall to +1 (646) 564 5775, gave vendor information for them to reach us back
    • 01/08/2023: Phonecall to +1 (646) 564 5775
    • 16/08/2023: Phonecall to +1 (646) 564 5775, got redirected to help@interactsoftware.com.
    • 16/08/2023: Update asked to help@interactsoftware.com.
    • 16/08/2023: Request CVE ID to Mitre
    • 23/08/2023: CVE IDs assigned : CVE-2023-41103
    • 24/08/2023: Vulnerabilty disclosure
Top