Proof of Concept and Exploitation Details
The vulnerability can be triggered by inserting HTML content, specifically script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:
An example of this on one such user can be seen in the image below:
Vulnerable Software Version
Raxis discovered this vulnerability on PRTG Network Monitor version 22.214.171.1243+.
Remediating the Vulnerability
Upgrade PRTG Network Monitor to Version 126.96.36.1993 or later immediately. The release notes and upgrade instructions can be found here: https://www.paessler.com/prtg/history/stable#188.8.131.523.
- March 22, 2021 – Vulnerability reported to Paessler Technologies.
- March 25, 2021 – Vulnerability confirmed by Paessler Technologies.
- April 12, 2021 – CVE-2021-29643 assigned to this vulnerability.
- July 6, 2021 – Paessler releases version 184.108.40.2063 to address this vulnerability.
CVE Links & More
- Mitre CVE – https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2021-29643
- NVD – https://nvd.nist.gov/vuln/detail/CVE-2021-29643