← Advisories

WEMS Enterprise Manager 2.58 (email) Reflected XSS

Medium
Advisory ID
ZSL-2019-5551
Release Date
29 December 2019
Vendor
WEMS Limited - https://www.wems.co.uk
Affected Version
2.58.8903, 2.55.8806, 2.55.8782, 2.19.7959
CVE
CVE-2020-21993
Tested On
Linux, PHP
Summary

WEMS Enterprise Manager is a centralised management and monitoring system for many WEMS equipped sites. It retrieves and stores data to enable energy analysis at an enterprise wide level. It is designed to give global visibility of the key areas that affect a buildings' environmental and energy performance using site data collected via WEMS Site Managers or Niagara compatible hardware.

Description

Input passed to the GET parameter 'email' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.

Proof of Concept
wems_emxss.txtTXT
Disclosure Timeline
06.07.2019Vulnerability discovered.
13.08.2019Vendor contacted.
29.08.2019No response from the vendor.
30.08.2019Vendor contacted.
02.09.2019No response from the vendor.
03.09.2019Vendor contacted.
28.12.2019No response from the vendor.
29.12.2019Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/173666
[2]https://cxsecurity.com/issue/WLB-2020010032
[3]https://packetstormsecurity.com/files/155777
[4]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21993
[5]https://nvd.nist.gov/vuln/detail/CVE-2020-21993
Changelog
29.12.2019Initial release
24.01.2020Added reference [1], [2] and [3]
19.06.2021Added reference [4] and [5]