Versions of i-doit Pro prior to 25 are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability enables remote authenticated attackers, irrespective of their privilege level, to store malicious data, like XSS payloads or counterfeit HTML pages, within a database. Consequently, this action triggers the XSS payload when the webpage is accessed.
Product Description: i-doit is a web-based and open-sourced Configuration and Management Database, CMDB, published by Synetics GmbH.
Affected Path: / and /index.php
Affected Parameters / Components : ‘Title’ , ‘SYSID prefix’ , ‘Language content’ , ‘Automatic Inventory number’ , ‘objectTitle’ , ‘Description’
Note: The developers have acknowledged the affected parameters, acknowledging their existence since there are more than 20 parameters in total.
The screenshot below illustrates one of the affected components. It’s important to note that this is just an example, as more than 20 data fields have been impacted.
The following screenshots illustrate the triggering of XSS.
