Writeups

XSS on Cameyo’s Virtual App Delivery platform (alternative to VDI & DaaS) an TIER0 Google acquisition per https://github.com/google/bughunters/blob/d1d112929c1e10ce86ec5686fa81eb1f828dd019/domain-tiers/external_domains_acquisitions.asciipb#L26

PoC: https://online.cameyo.com/apps/foo?setCookie=CyoMngEnt=&redirUrl=javascript:alert(origin)

This was fixed by sanitizing redirect URLs to only allow HTTP protocols.

function getSafeRedirectUrl(urlParameter) {
  if (!urlParameter) {
    return; // No URL provided
  }
  try {
    const url = new URL(urlParameter, window.location.origin);
    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
      return; //Blocked redirect to potentially unsafe URL
    }
    if (url.hostname !== window.location.hostname) {
      return; //Blocked redirect to external URL
    }
    return url;
  } catch (e) {
    return; // Handle cases where urlParameter is not a valid URL at all
  }
}

// SetCookie (used by companyAdd.aspx)
var setCookie = getURLParameter('setCookie');
if (setCookie !== null && setCookie.startsWith('CyoMngEnt=')) {
  var redirUrl = getURLParameter('redirUrl');
  var safeUrl = getSafeRedirectUrl(redirUrl);
  if (safeUrl) {
    document.cookie = setCookie;
    document.location.href = safeUrl;
  }
}

This was a duplicate report so was not rewarded.