CVE-2023-41642
published 2023-08-31CVE-2023-41642: Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.07%
60.7th percentile
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grupposcai | realgimm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command__EVENTTARGET=T1bPulsantiera&EVENTARGUMENT=TlbPulsantiera_Item_0%3AUP&___VIEWSTATE='TESTING&LeftArea%3ALeftMenu_hidden=&T1bPulsantiera_CancelClick=false&TlbPulsantiera_hidden=&cbUtente=&txtDataRichiestaDa=&txtDataRichiestaA=&TopArea%3ATopMenu=↗
- →Detect CVE-2023-41642 exploitation by matching HTTP response body for both 'alert(document.domain)' and 'Invalid_Viewstate' strings together in a response from ErroreNonGestito.aspx ↗
- →The XSS payload is delivered via the VIEWSTATE POST parameter to LogObjectTrace.aspx, which then reflects through ErroreNonGestito.aspx — monitor POST requests to LogObjectTrace.aspx with a malformed/crafted ___VIEWSTATE value followed by a GET to ErroreNonGestito.aspx ↗
- →The exploit uses the HTTP User-Agent header as the XSS payload carrier (set to 'alert(document.domain)'), which is atypical — alert on requests to RealGimm paths where the User-Agent contains JavaScript expressions ↗
- →Response Content-Type must be text/html for the XSS to be effective — match on header_2 containing 'text/html' alongside body indicators ↗
- ·The vulnerability is confirmed only in RealGimm version 1.1.37p38; detections should be scoped to this specific version to reduce false positives ↗
- ·The attack is unauthenticated (PR:N) and requires user interaction (UI:R), meaning the reflected XSS must be delivered to a victim — passive network monitoring alone may miss client-side execution ↗
- ·The exploit is a two-step HTTP sequence: a POST to LogObjectTrace.aspx triggers the error state, then a GET to ErroreNonGestito.aspx reflects the payload — single-request detections will miss the full attack chain ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p75-39hf-wqx7: Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito
ghsa_unreviewed·2023-08-31
CVE-2023-41642 [MEDIUM] CWE-79 GHSA-6p75-39hf-wqx7: Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.
VulnCheck
grupposcai realgimm Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-41642 [MEDIUM] grupposcai realgimm Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
grupposcai realgimm Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.
Affected: grupposcai realgimm
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-24&host_type=src&vulnerability=cve-2023-41642; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
No detection rules found.
Nuclei
RealGimm by GruppoSCAI v1.1.37p38 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-41642 [MEDIUM] RealGimm by GruppoSCAI v1.1.37p38 - Cross-Site Scripting
RealGimm by GruppoSCAI v1.1.37p38 - Cross-Site Scripting
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.
Template:
id: CVE-2023-41642
info:
name: RealGimm by GruppoSCAI v1.1.37p38 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter.
impact: |
Unauthen
https://github.com/CapgeminiCisRedTeam/Disclosure/blob/f7aafa9fcd4efa30071c7f77d3e9e6b14e92302b/CVE%20PoC/CVE-2023-41642%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.mdhttps://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.mdhttps://github.com/CapgeminiCisRedTeam/Disclosure/blob/f7aafa9fcd4efa30071c7f77d3e9e6b14e92302b/CVE%20PoC/CVE-2023-41642%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.mdhttps://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.md
2023-08-31
Published
Exploited in the wild