giulia@homepage:~$ cat CVE-2022-28363.txt
#Product: RLM 14.2
#Vendor: Reprise Software
#CVE ID: CVE-2022-28363
#Vulnerability Title: Reflected Cross-Site Scripting
#Severity: Medium
#Author(s): Giulia Melotti Garibaldi
#Date: 2022-03-29
#####################################################
Introduction:
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process “username” parameter via GET. No authentication is required.
#####################################################
Vulnerability PoC:
#GET http://HOST:5054/goform/login_process?username=admin(XSS #PAYLOAD)&password=admin&ok=LOGIN HTTP/1.1
#Host: HOST:5054
#Accept-Language: en-US,en;q=0.5
#Content-Type: application/x-www-form-urlencoded
#Content-Length: 38
#Origin: http://HOST:5054
#Connection: keep-alive
#Referer: http://HOST:5054/goform/login_process
giulia@homepage:~$ cd $HOME