Lucene search
ThanhlocstudentD213D7EA-FE92-40B2-A1F9-2BA32DEC50F5HistoryAug 19, 2022 - 5:57 p.m.
Persistent Cross Site Scripting - BusinessHours Module - Settings
2022-08-1917:57:00
thanhlocstudent
www.huntr.dev
9
cross site scripting
businesshours
editviewblocks
stored xss
validation
purifier
security
settings
payload
proof of concept
bug bounty
EPSS
0.001
Percentile
21.4%
Description
The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is “Text” but it is not validated and it’s used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.
Proof of Concept
- 1- Login to the application
- 2- Access the BusinessHours Module (Edit) via the following URL:
https://gitstable.yetiforce.com/index.php?module=BusinessHours&parent=Settings&view=Edit&record={id}- 3- Change the {id} of the previous URL with the valid recordID.
Change the value of “name” parameter with the following payload:
BusinessHours" onfocus="alert(document.domain)" autofocus ""="
**Inject the payload
PoC Video
https://drive.google.com/file/d/1eOMZ1-ltqBA4OgJh1s14sRllXnqoU8XV/view?usp=sharing
Related
veracode
veracode
Cross-site Scripting (XSS)
2022-10-07 06:20:45
prion
prion
Cross site scripting
2022-10-06 18:16:00
cnvd
cnvd
YetiForceCrm Cross-Site Scripting Vulnerability (CNVD-2022-69154)
2022-10-10 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2022-3002
2022-10-06 18:16:19
cve
cve
CVE-2022-3002
2022-10-06 18:16:19
osv
osv
CVE-2022-3002
2022-10-06 18:16:19
YetiForce CRM vulnerable to stored Cross-site Scripting
2022-10-06 18:52:03
github
github
YetiForce CRM vulnerable to stored Cross-site Scripting
2022-10-06 18:52:03