CVE-2023-6275

LOW NUCLEI

TOTVS Fluig 1.6.x-1.8.1 - Cross-Site Scripting via mobileredir openApp.jsp redirectUrl Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-6275. PoCs published by erickfernandox, LelioCosta. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a writeup for CVE-2023-6275, detailing a reflected XSS vulnerability in TOTVS Fluig Platform versions 1.6.X to 1.8.1. The vulnerability is exploitable via the 'redirectUrl' and 'user' parameters in the 'mobileredir' module.

Description

A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mobileredir/openApp.jsp of the component mobileredir. The manipulation of the argument redirectUrl/user with the input "><script>alert(document.domain)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.1-231128, 1.8.0-231127 and 1.8.1-231127 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-246104.

Exploits (2)

nomisec WRITEUP 1 stars
by erickfernandox · poc
https://github.com/erickfernandox/CVE-2023-6275

This repository provides a writeup for CVE-2023-6275, detailing a reflected XSS vulnerability in TOTVS Fluig Platform versions 1.6.X to 1.8.1. The vulnerability is exploitable via the 'redirectUrl' and 'user' parameters in the 'mobileredir' module.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: TOTVS Fluig Platform 1.6.X - 1.8.1
No auth needed
Prerequisites: Access to the vulnerable Fluig instance · Ability to craft malicious URLs
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by LelioCosta · poc
https://github.com/LelioCosta/FLUIG-Vulnerabilidade-CVE-2023-6275

This repository contains a writeup describing a reflected XSS vulnerability in TOTVS Fluig Platform versions 1.6.x to 1.8.1. The vulnerability is triggered via the 'redirectUrl' and 'user' parameters in the 'mobileredir' module, requiring user interaction.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: TOTVS Fluig Platform 1.6.x - 1.8.1
No auth needed
Prerequisites: Victim interaction required to trigger the payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TOTVS Fluig Platform - Cross-Site Scripting
MEDIUMVERIFIEDby s4e-io
FOFA: app="TOTVS-Fluig"

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.246104
Permissions Required, Third Party Advisory, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.246104

Scores

CVSS v3 3.5
EPSS 0.0238
EPSS Percentile 81.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
totvs/fluig 1.6.0 - 1.8.1
Published Nov 24, 2023
Tracked Since Feb 18, 2026