RemObjects Remoting SDK 9 22.214.171.124 for Delphi is vulnerable to a reflected Cross Site Scripting (XSS) attack via the service parameter to the /soap URI, triggering an invalid attempt to generate WSDL.
RemObjects Remoting SDK
Clients are applications that talk to your servers, and Remoting SDK allows you to add client functionality to apps written in just about any modern programming tool, and for all current platforms: Cocoa developers can use our native Cocoa frameworks from Swift, Objective-C, Oxygene or RemObjects C#
Many web applications uses this SDK and also expose this via some port pubically. This reflected XSS can be very helpful in hijacking user accounts by simply luring users to click on following URL.
Attacker Web Server
python -m SimpleHTTPServer 9090
RemObjects SDK for delphi v1.0.0 inurl:/SOAP/?service= RemObjects SDK for Delphi v126.96.36.199 intext:RemObjects SDK for Delphi RemObjects Software, LLC.
- RemObjects Bug