Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)

# Details

An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the '<meta http-equiv="refresh"' in the WebSocket messages.

# Exploit Title: Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://aspnetzero.com/
# Software Link: https://aspnetzero.com/
# Version: Asp.Net Zero < v12.3.0

# Proof Of Concept
As a concept, messages are transmitted with websockets. A user can redirect the victim user to an arbitrary URL through a message.
1. Send following as message to targeted online user:

<META HTTP-EQUIV="refresh" »
CONTENT="0;url=https://target-url/">

2. The redirection is triggered without interaction when the message sent by the attacker appears on the victim user's dashboard.

# Proof Of Concept

https://github.com/passtheticket/vulnerability-research/blob/main/aspnetzero_html_injection_via_websockets_messages.md

PreviousADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)NextManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)

Last updated 9 months ago