{"id":24414,"date":"2025-08-28T16:39:12","date_gmt":"2025-08-28T14:39:12","guid":{"rendered":"https:\/\/herolab.usd.de\/usd-2025-19\/"},"modified":"2025-09-10T11:12:48","modified_gmt":"2025-09-10T09:12:48","slug":"usd-2025-0019","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0019\/","title":{"rendered":"usd-2025-0019"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text admin_label=\"Text\" _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-0019 | d.3one 1.14.16 - Reflective Cross-Site Scripting<\/h1>\n

<\/h1>\n

Product<\/strong>: d.3one
Affected Version<\/strong>: 1.14.16
Vulnerability Type<\/strong>: Cross-Site Scripting (CWE-79)
Security Risk<\/strong>: High
Vendor<\/strong>: d-velop
Vendor URL<\/strong>: https:\/\/www.d-velop.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed in version 7.30.13 and 7.33.3
CVE Number<\/strong>: Requested
CVE Link<\/strong>: -
Advisory ID<\/strong>: usd-2025-0019<\/p>\n

Description<\/h3>\n

By activating a malicious link, it is possible to execute JavaScript in the victim's browser. This can be exploited to call functions in the web interface on behalf of the victim and extract the content of the application. This compromises the confidentiality and integrity of the processed data.<\/p>\n

Proof of Concept<\/h3>\n

The following URL opens an alert box with the current domain name as an example:<\/p>\n

\n
<\/span>https:\/\/d3one-int.[...].local\/shell\/ng\/#?pentest=1\"><img]() src=x onerror=alert(document.domain)><\/pre>\n<\/div>\n
Screenshot of the alert box opened via JavaScript:<\/p>\n
\"\"<\/p>\n
The cause of the vulnerability is the use of the insecure function Element.insertAdjacentHTML <\/strong>without prior parameter clearing. The following screenshot shows an excerpt of the vulnerable code:<\/p>\n
\"\"<\/p>\n
After opening the above URL in the application, you can also see where the payload was embedded, as this has changed the HTML.<\/p>\n
\"\"<\/p>\n
The Mozilla documentation on the vulnerable function points out that no user input that has not been cleared should be used: <https:\/\/developer.mozilla.org\/de\/docs\/Web\/API\/Element\/insertAdjacentHTML#sicherheitshinweise><\/a><\/p>\n
Fix<\/h3>\n

The use of insecure functions should be prevented.<\/p>\n
References<\/h3>\n
<\/p>\n