SimpleRisk v20170416-001 Reflected XSS Vulnerabilities

Title: SimpleRisk v20170416-001 Reflected XSS Vulnerabilities
Advisory ID: ZSL-2017-5414
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 21.06.2017
Summary
SimpleRisk is an open-source risk management system released under Mozilla Public License and used for risk management activities. It enables risk managers to account for risks, plan mitigation measures, facilitate management reviews, prioritize for project planning, and track periodic reviews.
Description
SimpleRisk suffers from two reflected cross-site scripting vulnerabilities when input passed via 'draw' POST parameter and the 'PHP_SELF' variable is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
SimpleRisk, LLC - https://www.simplerisk.com
Affected Version
20170416-001
20170108-001
20170102-001
Tested On
PHP/5.5.9-1ubuntu4.20
Apache/2.4.7 (Ubuntu)
MySQL 14.14 (Distrib 5.5.53 for debian-linux-gnu)
Ubuntu 14.04.5 LTS
Vendor Status
[05.06.2017] Vulnerability discovered.
[05.06.2017] Vendor contacted.
[05.06.2017] Vendor responds asking more details.
[05.06.2017] Sent details to the vendor.
[05.06.2017] Working with the vendor.
[07.06.2017] Vendor provides patch for verification.
[07.06.2017] Vendor informed that the patch is verified, vulnerabilities fixed.
[07.06.2017] Working with the vendor.
[14.06.2017] Vendor releases version 20170614-001 to address these issues.
[21.06.2017] Coordinated public security advisory released.
PoC
simplerisk_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Josh!
References
[1] https://simplerisk.freshdesk.com/helpdesk/tickets/2497
[2] https://github.com/simplerisk/documentation/raw/master/SimpleRisk%20Release%20Notes%2020170614-001.pdf
[3] https://www.simplerisk.com/contributors
[4] https://cxsecurity.com/issue/WLB-2017060171
[5] https://packetstormsecurity.com/files/143104
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/127626
Changelog
[21.06.2017] - Initial release
[22.06.2017] - Added reference [4]
[27.06.2017] - Added reference [5]
[02.07.2017] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk