cbcvebase.
CVE-2023-41642
published 2023-08-31

CVE-2023-41642: Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.07%
60.7th percentile
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
grupposcairealgimm

Detection & IOCsextracted from sources · hover to see the quote

path/RealGimmWeb/Pages/Sistema/LogObjectTrace.aspx
path/RealGimmWeb/Pages/ErroreNonGestito.aspx
uaalert(document.domain)
command__EVENTTARGET=T1bPulsantiera&EVENTARGUMENT=TlbPulsantiera_Item_0%3AUP&___VIEWSTATE='TESTING&LeftArea%3ALeftMenu_hidden=&T1bPulsantiera_CancelClick=false&TlbPulsantiera_hidden=&cbUtente=&txtDataRichiestaDa=&txtDataRichiestaA=&TopArea%3ATopMenu=
  • Detect CVE-2023-41642 exploitation by matching HTTP response body for both 'alert(document.domain)' and 'Invalid_Viewstate' strings together in a response from ErroreNonGestito.aspx
  • The XSS payload is delivered via the VIEWSTATE POST parameter to LogObjectTrace.aspx, which then reflects through ErroreNonGestito.aspx — monitor POST requests to LogObjectTrace.aspx with a malformed/crafted ___VIEWSTATE value followed by a GET to ErroreNonGestito.aspx
  • The exploit uses the HTTP User-Agent header as the XSS payload carrier (set to 'alert(document.domain)'), which is atypical — alert on requests to RealGimm paths where the User-Agent contains JavaScript expressions
  • Response Content-Type must be text/html for the XSS to be effective — match on header_2 containing 'text/html' alongside body indicators
  • ·The vulnerability is confirmed only in RealGimm version 1.1.37p38; detections should be scoped to this specific version to reduce false positives
  • ·The attack is unauthenticated (PR:N) and requires user interaction (UI:R), meaning the reflected XSS must be delivered to a victim — passive network monitoring alone may miss client-side execution
  • ·The exploit is a two-step HTTP sequence: a POST to LogObjectTrace.aspx triggers the error state, then a GET to ErroreNonGestito.aspx reflects the payload — single-request detections will miss the full attack chain

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.