CVE-2023-6275 is a Cross Site Scripting (XSS) vulnerability identified in the TOTVS Fluig Platform versions 1.6.x, 1.7.x, 1.8.0, and 1.8.1. The vulnerability resides in the mobileredir component, specifically in the /mobileredir/openApp.jsp file. The issue arises from improper sanitization of the redirectUrl/user parameter, which allows an attacker to inject malicious JavaScript code, such as "><script>alert(document.domain)</script>. This type of injection enables an attacker to execute arbitrary scripts in the context of the victim's browser session when they visit a crafted URL. The vulnerability can be exploited remotely, but requires some level of privileges (PR:L) and user interaction (UI:R), as indicated by the CVSS vector. The flaw does not impact confidentiality but can affect the integrity of the user's session or data by executing unauthorized scripts, potentially leading to session hijacking, phishing, or other client-side attacks. The vendor has addressed this issue in versions 1.7.1-231128, 1.8.0-231127, and 1.8.1-231127, and upgrading to these versions is recommended to remediate the vulnerability. Although the CVSS score is 3.5 (low severity), the public disclosure of the exploit code increases the risk of opportunistic attacks, especially in environments where the platform is widely used and users may be less security-aware.

For European organizations using TOTVS Fluig Platform, this XSS vulnerability can lead to client-side attacks that compromise user sessions and trust in the platform. While it does not directly compromise server confidentiality or availability, successful exploitation can enable attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. This can result in data integrity issues, loss of user trust, and potential compliance violations under GDPR if personal data is exposed or manipulated. Organizations in sectors such as finance, healthcare, and public administration that rely on Fluig for collaboration and document management may face reputational damage and operational disruptions. The requirement for user interaction and some privileges reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially spear-phishing campaigns leveraging this vulnerability.

1. Immediate upgrade of TOTVS Fluig Platform to the fixed versions 1.7.1-231128, 1.8.0-231127, or 1.8.1-231127 to ensure the vulnerability is patched. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the platform. 3. Conduct a thorough review of all user input handling and output encoding in customizations or integrations with Fluig to prevent similar injection flaws. 4. Educate users about the risks of clicking on suspicious links and implement multi-factor authentication to reduce the impact of session hijacking. 5. Monitor web application logs and user activity for unusual patterns that may indicate exploitation attempts. 6. If upgrading is not immediately possible, consider deploying Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the redirectUrl/user parameter.