← Advisories

SimpleRisk v20170416-001 Reflected XSS Vulnerabilities

High

Advisory ID

ZSL-2017-5414

Release Date

21 June 2017

Vendor

SimpleRisk, LLC - https://www.simplerisk.com

Affected Version

20170416-001, 20170108-001, 20170102-001

CVE

N/A

Tested On

PHP/5.5.9-1ubuntu4.20, Apache/2.4.7 (Ubuntu), MySQL 14.14 (Distrib 5.5.53 for debian-linux-gnu), Ubuntu 14.04.5 LTS

Summary

SimpleRisk is an open-source risk management system released under Mozilla Public License and used for risk management activities. It enables risk managers to account for risks, plan mitigation measures, facilitate management reviews, prioritize for project planning, and track periodic reviews.

Description

SimpleRisk suffers from two reflected cross-site scripting vulnerabilities when input passed via 'draw' POST parameter and the 'PHP_SELF' variable is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

simplerisk_xss.htmlTXT

Disclosure Timeline

05.06.2017Vulnerability discovered.

05.06.2017Vendor contacted.

05.06.2017Vendor responds asking more details.

05.06.2017Sent details to the vendor.

05.06.2017Working with the vendor.

07.06.2017Vendor provides patch for verification.

07.06.2017Vendor informed that the patch is verified, vulnerabilities fixed.

07.06.2017Working with the vendor.

14.06.2017Vendor releases version 20170614-001 to address these issues.