CVE-2023-46595
Net-NTLM leak via HTML injection vulnerability
| Announced | 2023-11-02 |
| Impact | Medium |
| Base CVSS Score | 5.9 |
| Product | AlgoSec FireFlow |
| Affected Versions |
A32.20 (up to build b560) A32.50 (up to build b390) A32.60 (up to build 210) |
| Fixed in Version |
A32.20 (b570 and above) A32.50 (b400 and above) A32.60 (220 and above) |
| Finder | Michał Bogdanowicz from Nordea Bank ABP |
Description
AlgoSec FireFlow VisualFlow workflow editor allows saving workflow entities with special html characters in the Name and Description fields, which is further displayed and executed on the Workflows List page in the application. This vulnerability also impacts Workflow editor's outbound actions via Name and Category fields, which is displayed and executed on the Workflow Entity page.
By abusing this behavior, it is possible to obtain the victim’s domain credentials: Net-NTLM hash, and thus open the way to relay domain attacks.
Issues addressed as part of this vulnerability
-
Net-NTLM leak via stored HTML injection in FireFlow's VisualFlow workflow editor using Name and Description parameters.
-
Net-NTLM leak via stored HTML injection in FireFlow's VisualFlow workflow editor using outbound actions Name and Category parameters
Solution
Upgrade ASMS to the fixed build as forbidden characters are escaped in all affected fields of AlgoSec FireFlow VisualFlow workflow editor.
References
-
CVE-2023-46595 in cve.org