Thinfinity VirtualUI IFRAME Injection

Thinfinity VirtualUI version suffers from an iframe injection vulnerability.

MD5 | c81a621d50748a9d46e770fa7afe4b1e

Exploit Title: Thinfinity VirtualUI  - IFRAME Injection
Date: 16/12/2021
Exploit Author: Daniel Morales
Vendor: <>
Software Link: <>
Version: Thinfinity VirtualUI < v3.0
Tested on: Microsoft Windows
CVE: CVE-2021-45092

How it works
By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed).

The vulnerable vector is " <> " where "vpath=//" is the pointer to the external site to be iframed.

Vulnerable versions
It has been tested in VirtualUI version,,,, and

References <> <> <>

Related Posts