CVE-2019–7634: My first CVE
In this post, I will provide details about my first CVE. The vulnerability was discovered when I was on vacation and needed to update a piece of personal information in SUAP (Sistema Unificado de Administração Pública), a system used by several federal public institutions in Brazil.
Vulnerability: Stored XSS
Affected project: SUAP v2
After trying different payloads on various pages of the system, I finally found a flaw when updating the user’s data. I simply append the following payload to a field in the form:
And Voilà! This code will open a connection to Beef, allowing me to inject different payloads in the victim’s browser remotely.
After this, I immediately contacted the administration of the service with a Proof of Concept (PoC). The response was very fast and they quickly corrected the flaw. I suppose that now all the federal institutions using SUAP received the update.
XSS vulnerabilities are very common and are not that hard to be discovered, but everyone has to start somewhere. Besides, I had the opportunity to learn about the whole process of requesting a CVE.