My first CVE! CVE-2021–41825: Verint Workforce Optimization-HTML Injection

Yara AlHumaidan (0xy37)
2 min readOct 6, 2021

--

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

The attacker can then modify the page content seen by the victims.

  • Vulnerable Software: Verint Workforce Optimization (WFO)
  • Vulnerability: HTML Injection
  • Affected Version: 15.2 (15.2.5.1033)
  • Vendor Homepage: https://www.verint.com
  • CVE: CVE-2021–41825
  • About Affected Software: Verint Workforce Optimization is a suite of unified software and services for capturing interactions and managing the performance of employees across the enterprise or in targeted areas of your business.

• Steps to reproduce:

http://IP/wfo/control/signin?rd=%2Fwfo%2Fcontrol%2F

In the below screenshot when injecting an html tags in the username field we can see that it has been rendered in the response.

HTML injection POC

As seen below the HTML injection has been rendered successfully in the login page.

Rendering the HTML Injection
  • Timeline:

Initial Email Sent: August 16, 2021 — No response
Followup 2: August 30, 2021 — No response
Followup 3: September 9, 2021 — No response
CVE Generated: September 30, 2021
Followup 4: October 4, 2021 — No response
Published: October 6, 2021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41825

  • Acknowledgment:

Thanks to the team i have been working with: Osama Aldosari, Dema Alsaif, Abdullah Alguwaihes.- Saudi information and technology company — SITE.

--

--

Yara AlHumaidan (0xy37)
Yara AlHumaidan (0xy37)

Written by Yara AlHumaidan (0xy37)

Penetration Testing Consultant | OSCP | OSWP | eWAPTXv2 | CRTP

No responses yet