Java System Solutions SSO Plugin For BMC MyIT 4.0.13.1 Cross Site Scripting

`Title:  
======  
  
Reflected XSS in Java System Solutions SSO Plugin 4.0.13.1 for BMC MyIT  
  
Description:  
============  
  
Reflected Cross-Site Scripting in Java System Solutions' BMC MyIT SSO Plugin version 4.0.13.1 was identified during a penetration test. Other versions might be affected as well. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared link and hits the "Login" button.  
  
Proof-of-concept:  
=================  
  
Open https://<hostname>/ux/jss-sso/arslogin?javascript:alert(%27Deloitte%20XSS%20PoC%27) and hit the "Login" button.  
  
Affected function:  
==================  
  
function select_sso() {   
console.log('SSO login');  
id('loginForm').action= 'javascript:alert(%27Deloitte%20XSS%20PoC%27)';  
id('username').name= 'username';  
id('password').name= 'password';  
  
usingsso(true);  
  
Solution:  
=========  
  
Contact vendor for fix.  
  
Disclosure Timeline:  
====================  
  
2018-07-17: Vulnerability discovered  
2018-07-17: Vulnerability reported to manufacturer  
2018-07-17: Response from manufacturer that vulnerability is known and has been fixed, but refused to provide any details  
2018-08-09: Requested CVE ID from MITRE; CVE-2018-15528 was reserved  
2018-08-20: Public disclosure of vulnerability & notification to manufacturer  
  
Credits:  
========  
  
This security vulnerability was found by Marco Murch of Deloitte GmbH.  
  
E-Mail: mamu[DELETE_ME_:-)]rch[at]deloitte[dot]de  
`