CVE-2021-45092
published 2021-12-16CVE-2021-45092: Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.97%
98.4th percentile
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybelesoft | thinfinity_virtualui | < 3.0 | 3.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
GET /lab.html?vpath=// (regex match: .*vpath.* AND thinfinity)
- →Use Shodan/FOFA/Google dorks to identify exposed Thinfinity VirtualUI instances as potential targets: http.title:"thinfinity virtualui" / title="thinfinity virtualui" / intitle:"thinfinity virtualui" ↗
- →Affected versions confirmed by exploit author: VirtualUI 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2, and 2.5.41.0 — all versions before 3.0 are considered vulnerable. ↗
- ·The vulnerable endpoint /lab.html is reachable by default with no authentication required, meaning no special configuration is needed for exploitation — unauthenticated attackers can reach it on any default install. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fc56-476w-j7fm: Thinfinity VirtualUI before 3
ghsa_unreviewed·2021-12-17
CVE-2021-45092 [CRITICAL] CWE-74 GHSA-fc56-476w-j7fm: Thinfinity VirtualUI before 3
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
VulnCheck
Thinfinity VirtualUI before 3.0 lab.html IFRAME Injection
vulncheck·2021·CVSS 9.8
CVE-2021-45092 [CRITICAL] Thinfinity VirtualUI before 3.0 lab.html IFRAME Injection
Thinfinity VirtualUI before 3.0 lab.html IFRAME Injection
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.
Affected: cybelesoft thinfinity_virtualui
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-45092; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-2021-45092; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-27&host_type=src&vul
No detection rules found.
Exploit-DB
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
exploitdb·2022-02-21·CVSS 9.8
CVE-2021-45092 [CRITICAL] Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
---
Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
Date: 16/12/2021
Exploit Author: Daniel Morales
Vendor: https://www.cybelesoft.com
Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
Version: Thinfinity VirtualUI " where "vpath=//" is the pointer to the external site to be iframed.
Vulnerable versions
It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0.
References
https://github.com/cybelesoft/virtualui/issues/2
https://www.tenable.com/cve/CVE-2021-45092
https://twitter.com/danielmofer
Nuclei
Thinfinity Iframe Injection
nuclei·CVSS 5.3
CVE-2021-45092 [MEDIUM] Thinfinity Iframe Injection
Thinfinity Iframe Injection
A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
Template:
id: CVE-2021-45092
info:
name: Thinfinity Iframe Injection
author: danielmofer
severity: critical
description: A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential remote code execution.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the vulnerability.
reference:
- https://github.com/cybelesoft/virtualui/issues/2
- http
2021-12-16
Published
Exploited in the wild