Critical XSS Vulnerability in Lukevella Rally Affects Versions Up to 4.7.4
Severity: High (Score: 72.9)
Sources: vulnerability.circl.lu, db.gcve.eu
Summary
A cross-site scripting (XSS) vulnerability has been identified in Lukevella Rally versions up to 4.7.4. The flaw resides in the Reset Password Handler component, specifically in the reset-password-form.tsx file, where manipulation of the 'redirectTo' argument can lead to XSS attacks. This vulnerability can be exploited remotely, posing a significant risk to users of the affected versions. The exploit has been published, increasing the urgency for users to upgrade. Users are advised to update to version 4.8.0 to mitigate this issue. The vendor was contacted prior to this disclosure, indicating that they were aware of the vulnerability. Detection rules for this vulnerability can be retrieved from Rulezet. Immediate action is recommended to prevent potential exploitation. Key Points: • A critical XSS vulnerability exists in Lukevella Rally versions up to 4.7.4. • Exploitation can be performed remotely through manipulation of the 'redirectTo' argument. • Users should upgrade to version 4.8.0 to mitigate the risk of exploitation.