cbcvebase.
CVE-2023-6275
published 2023-11-24

CVE-2023-6275: A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown…

PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.38%
81.8th percentile
A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mobileredir/openApp.jsp of the component mobileredir. The manipulation of the argument redirectUrl/user with the input ">alert(document.domain) leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.1-231128, 1.8.0-231127 and 1.8.1-231127 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-246104.

Affected

5 ranges
VendorProductVersion rangeFixed in
totvsfluig>= 1.6.0 < 1.8.11.8.1
totvsfluig_platform
totvsfluig_platform
totvsfluig_platform
totvsfluig_platform

Detection & IOCsextracted from sources · hover to see the quote

path/mobileredir/openApp.jsp
url{{BaseURL}}/mobileredir/openApp.jsp?redirectUrl=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
url{{BaseURL}}/mobileredir/openApp.jsp?user=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
yara
id: CVE-2023-6275 — Nuclei template matching words: '">alert(document.domain)' AND 'fluig://' in HTTP response body with content-type text/html and status 200
  • Detect exploitation attempts by monitoring GET requests to /mobileredir/openApp.jsp with URL-encoded XSS payloads in the 'redirectUrl' or 'user' query parameters (e.g., %22%3E%3Cscript%3E).
  • Confirm successful XSS reflection by checking that the HTTP 200 response body contains both the literal string '">alert(document.domain)' and 'fluig://' with content-type text/html.
  • Use FOFA query 'app="TOTVS-Fluig"' to identify internet-exposed TOTVS Fluig Platform instances for targeted scanning.
  • The vulnerability is unauthenticated (PR:N) and remotely exploitable; no session or credentials are required to trigger the reflected XSS.
  • ·Affected versions are 1.6.x, 1.7.x, 1.8.0, and 1.8.1. Fixed versions are 1.7.1-231128, 1.8.0-231127, and 1.8.1-231127. Detections should be scoped to unpatched instances.
  • ·The Nuclei template uses stop-at-first-match across two request paths; detection tooling should probe both the 'redirectUrl' and 'user' parameters independently if stop-at-first-match is not desired.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.