CVE-2023-6275
published 2023-11-24CVE-2023-6275: A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown…
PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.38%
81.8th percentile
A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mobileredir/openApp.jsp of the component mobileredir. The manipulation of the argument redirectUrl/user with the input ">alert(document.domain) leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.1-231128, 1.8.0-231127 and 1.8.1-231127 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-246104.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totvs | fluig | >= 1.6.0 < 1.8.1 | 1.8.1 |
| totvs | fluig_platform | — | — |
| totvs | fluig_platform | — | — |
| totvs | fluig_platform | — | — |
| totvs | fluig_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/mobileredir/openApp.jsp?redirectUrl=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
url{{BaseURL}}/mobileredir/openApp.jsp?user=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
yara
id: CVE-2023-6275 — Nuclei template matching words: '">alert(document.domain)' AND 'fluig://' in HTTP response body with content-type text/html and status 200
- →Detect exploitation attempts by monitoring GET requests to /mobileredir/openApp.jsp with URL-encoded XSS payloads in the 'redirectUrl' or 'user' query parameters (e.g., %22%3E%3Cscript%3E).
- →Confirm successful XSS reflection by checking that the HTTP 200 response body contains both the literal string '">alert(document.domain)' and 'fluig://' with content-type text/html.
- →Use FOFA query 'app="TOTVS-Fluig"' to identify internet-exposed TOTVS Fluig Platform instances for targeted scanning.
- →The vulnerability is unauthenticated (PR:N) and remotely exploitable; no session or credentials are required to trigger the reflected XSS.
- ·Affected versions are 1.6.x, 1.7.x, 1.8.0, and 1.8.1. Fixed versions are 1.7.1-231128, 1.8.0-231127, and 1.8.1-231127. Detections should be scoped to unpatched instances. ↗
- ·The Nuclei template uses stop-at-first-match across two request paths; detection tooling should probe both the 'redirectUrl' and 'user' parameters independently if stop-at-first-match is not desired.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
TOTVS Fluig Platform - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-6275 [MEDIUM] TOTVS Fluig Platform - Cross-Site Scripting
TOTVS Fluig Platform - Cross-Site Scripting
A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mobileredir/openApp.jsp of the component mobileredir. The manipulation of the argument redirectUrl/user with the input ">alert(document.domain) leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Template:
id: CVE-2023-6275
info:
name: TOTVS Fluig Platform - Cross-Site Scripting
author: s4e-io
severity: medium
description: |
A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the fil
2023-11-24
Published