I-doit Open v24 and below are vulnerable to reflected XSS. The vulnerability allows attackers to send the malicious URL containing the javascript payload to victims and make them execute the payload unintentionally.
Product Description: i-doit is a web-based and open-sourced Configuration and Management Database, CMDB, published by Synetics GmbH.
Vulnerability Description: The vulnerability allows attackers to send a URL containing the malicious payload to potential victims and make them execute arbitrary javascript code. It’s worth noting that it can only be triggered by authenticated users.
Affected path: /
Affected Parameter: timeout
Payload demonstration: /?timeout”><script>alert(“XSS”)</script>
Screenshot of the execution of the payload:
