CVE-2023-48644 is a cross-site scripting (XSS) vulnerability identified in the Archibus mobile application version 4.0.3 for iOS, specifically within the create work request feature of the maintenance module. The vulnerability arises from insufficient input sanitization or output encoding in the description field, allowing an attacker to inject malicious scripts. When a user interacts with the compromised input, the injected script executes in the context of the user’s session. This can lead to unauthorized actions performed on behalf of the user, such as manipulating work requests or other application functions, and potentially exfiltrating sensitive data accessible through the app. The vulnerability is remotely exploitable over the network without requiring prior authentication, but it does require user interaction (e.g., viewing or interacting with the crafted input). The CVSS v3.1 base score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity with no impact on availability. No known public exploits or patches have been reported at the time of publication. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information), indicating that the XSS can lead to unauthorized data disclosure.

For European organizations using the Archibus iOS app, particularly those relying on the maintenance module for facility or asset management, this vulnerability poses a risk of unauthorized data exposure and potential manipulation of maintenance requests. Attackers exploiting this XSS flaw could hijack user sessions to perform unauthorized actions, potentially disrupting maintenance workflows or leaking sensitive operational data. This could impact organizations in sectors such as real estate management, infrastructure, healthcare, and education, where Archibus is commonly used. The medium severity suggests a moderate risk, but the requirement for user interaction limits mass exploitation. However, targeted attacks against high-value users or administrators could lead to significant operational disruptions or data breaches. Additionally, the cross-site scripting nature could be leveraged as a foothold for further attacks, including phishing or lateral movement within the organization’s mobile environment.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict usage of the vulnerable Archibus iOS app version 4.0.3, especially in sensitive environments. 2) Implement strict input validation and output encoding on the description field within the create work request feature to prevent script injection. 3) Educate users to be cautious when interacting with unexpected or suspicious work request descriptions, especially those received from untrusted sources. 4) Monitor network and application logs for unusual activity indicative of XSS exploitation attempts. 5) Coordinate with the Archibus vendor or support channels to obtain patches or updates addressing this vulnerability as soon as they become available. 6) Consider deploying mobile device management (MDM) policies to control app versions and enforce security configurations on iOS devices. 7) Employ Content Security Policy (CSP) headers if applicable within the app’s web views to restrict script execution sources. These steps go beyond generic advice by focusing on immediate operational controls, user awareness, and vendor engagement specific to the Archibus app context.