By Rodolfo Tavares and Niklas Corrรชa
As part of the Tempest Technical Consulting team’s research results, it was possible to identify and report vulnerabilities affecting LumisXP, which were registered by MITRE under the following identifiers:
- CVE-2024-33326: Cross-Site Scripting (XSS) vulnerability in the `XsltResultControllerHtml.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33327: Cross-Site Scripting (XSS) vulnerability in the `UrlAccessibilityEvaluation.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33328: Cross-Site Scripting (XSS) vulnerability in the `main.jsp` page in LumisXP versions 15.0.x to 16.1.x.
- CVE-2024-33329: Vulnerability caused by the use of verified fixed GUIDs in LumisXP versions 15.0.x to 16.1.x.
The four flaws exploit different problems, but are related to inadequate input control and the use of fixed GUIDs:
- CVE-2024-33326: Allows the execution of arbitrary scripts by injecting malicious code into the `lumPageID` parameter of the `XsltResultControllerHtml.jsp` page.
- CVE-2024-33327: XSS exploit on the `UrlAccessibilityEvaluation.jsp` page via the `contentHtml` parameter.
- CVE-2024-33328: Allows the execution of arbitrary scripts by injecting malicious code into the `pageId` parameter of the `main.jsp` page.
- CVE-2024-33329: Use of embedded GUIDs that allow unauthorized access to LumisXP internal pages and sensitive information.
By exploiting the flaws described in these CVEs, it becomes possible to execute malicious scripts, obtain sensitive information, and access internal pages of the LumisXP system. All the exploits discussed can be carried out unauthenticated and remotely.
The vulnerabilities addressed in this publication have been reported to Lumis, which has resolved the flaws that were affecting the LumisXP framework. Technical details on the flaws identified are available: