平台
other
组件
fluig-platform
修复版本
1.6.1
1.7.1
1.8.1
1.8.2
CVE-2023-6275 is a cross-site scripting (XSS) vulnerability affecting TOTVS Fluig Platform versions up to 1.8.1. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability resides in the /mobileredir/openApp.jsp file and is triggered by manipulating the redirectUrl/user parameter. Affected users should upgrade to version 1.7.1-231128, 1.8.0-231127, or 1.8.1-231127.
Successful exploitation of CVE-2023-6275 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Fluig Platform. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or modifying the content of web pages. The impact is particularly severe if the Fluig Platform is used to manage sensitive data or critical business processes, as an attacker could potentially gain unauthorized access to this information. The vulnerability's remote accessibility significantly expands the potential attack surface, as it can be exploited from anywhere with network access to the platform.
CVE-2023-6275 has been publicly disclosed and a proof-of-concept may be available. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. The vulnerability was published on 2023-11-24. There is no indication of active exploitation campaigns at this time, but the public disclosure increases the risk of opportunistic attacks.
Organizations using TOTVS Fluig Platform for workflow automation, document management, or other business processes are at risk. Specifically, deployments using older versions (≤1.8.1) and those with limited security controls or monitoring are particularly vulnerable. Shared hosting environments where multiple tenants share the same Fluig Platform instance are also at increased risk.
• generic web:
curl -I 'https://<fluig_platform_url>/mobileredir/openApp.jsp?redirectUrl=<script>alert(document.domain)</script>' | grep HTTP/1.1• generic web:
grep -i "<script>alert(document.domain)</script>" /var/log/apache2/access.log• generic web:
grep -i "<script>alert(document.domain)</script>" /var/log/apache2/error.logdisclosure
patch
漏洞利用状态
EPSS
52.49% (98% 百分位)
CVSS 向量
The primary mitigation for CVE-2023-6275 is to upgrade to a patched version of TOTVS Fluig Platform: 1.7.1-231128, 1.8.0-231127, or 1.8.1-231127. If immediate upgrading is not possible, consider implementing temporary workarounds such as input validation and output encoding on the redirectUrl/user parameter. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Carefully review and sanitize all user-supplied input before rendering it in web pages. After upgrading, confirm the fix by attempting to trigger the vulnerability with the original payload and verifying that the script is not executed.
Actualice a las versiones 1.7.1-231128, 1.8.0-231127 o 1.8.1-231127, o a una versión posterior. Estas versiones contienen la corrección para la vulnerabilidad XSS. Se recomienda actualizar el componente afectado lo antes posible.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2023-6275 is a cross-site scripting (XSS) vulnerability in TOTVS Fluig Platform versions up to 1.8.1, allowing attackers to inject malicious scripts.
If you are using TOTVS Fluig Platform version 1.8.1 or earlier, you are potentially affected by this vulnerability.
Upgrade to version 1.7.1-231128, 1.8.0-231127, or 1.8.1-231127 to address the vulnerability.
While there's no confirmed active exploitation, the public disclosure increases the risk of opportunistic attacks.
Refer to the official TOTVS security advisory for detailed information and updates regarding CVE-2023-6275.