Reflected Cross-Site Scripting in businesscenter.kaiza.la

Tenable discovered a cross-site scripting vulnerability in the url parameter of https://businesscenter.kaiza.la/consoleTab/popupTransactionStart.html. This can lead to an attacker gaining arbitrary javascript execution in the context of a victim's browser if they convince said victim to follow a malicious link.

As most subdomains of kaiza.la trust *.kaiza.la for cross-origin requests, this could potentially be leveraged for further impact. For example, a more complicated payload could leverage the page https://webapp.kaiza.la/assets/actionboot.html to load content from a custom kaizala action which allows the reflected XSS to steal authentication tokens for the webapp.kaiza.la domain if the victim is currently logged into webapp.kaiza.la.

The vulnerability exists because the url parameter is passed unsanitized to window.location.href, so passing an argument like javascript:alert(1);// will trigger the execution of javascript while still in the context of the businesscenter.kaiza.la domain, the ;// commenting out any additional text from the original source code in the context of the malicious javascript uri passed. 

Proof of Concept: 

Prior to being fixed, visiting the following link would trigger a reflected XSS payload:

https://businesscenter.kaiza.la/consoleTab/popupTransactionStart.html?url=javascript:alert(document.domain)%3b%2f%2f