Content here will be expanded on upon later, for now this serves as a quick description and write-up.
Overview
Dundas BI server has two stable release versions available for download for customers. Version 7.0.2.1009 and Version 8.0.0.1001. Both product versions contain persistent cross-site scripting (XSS) vulnerabilities in the same location.
Version 7.0.2.1009
HTML Label
An authenticated attacker may insert malicious Javascript code in an HTML label when creating or editing a dashboard. To do this:
- User must be authenticated and have proper permissions to edit or create a dashboard.
- In the dashboard editing screen, click on Components and select “HTML Label”.
- Insert code. PoC: <script>alert(‘XSS’)</script>.
Button XSS
Version 8.0.0.1001
The same vulnerabilities exists within the latest deployment of Dundas.
HTML Label XSS
Button XSS
- Click Components and add a button.
- Select the button.
- Click properties and select Click (or another action such as “Double Click”, “hover”, etc.)
- Insert script and click “Build”.
