Lucene search
0xb4cEDEED309-BE07-4373-B15E-2D1EB415EB89HistoryAug 16, 2022 - 9:36 a.m.
Stored XSS in 'Table name' field via Database information function
2022-08-1609:36:44
0xb4c
www.huntr.dev
9
0.001 Low
EPSS
Percentile
21.6%
Description
When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases:
- (1) An internal attacker (local) with access right to the database could insert malicious content into the
table namefield by creating a table in the database. - (2) The second possible case is when the system administrator performs a malicious import of the database from an unknown source with the
table namefield injected by malicious content.
Proof of Concept
Payload
CREATE TABLE `yetiforce`.`<script>alert('stored_xss')</script>` ( `id` INT NOT NULL ) ENGINE = InnoDB CHARSET=armscii8 COLLATE armscii8_general_nopad_ci;
Reprodution steps
- Step 1: The internal attacker create a new table with the payload above.
- Step 2: Access
Database informationfunction in Admin Dashboard > Logs > Server configuration
- Step 3: The XSS should fire immediately when detailed information about the database is loaded.
References
Related
prion
prion
Cross site scripting
2022-08-21 08:15:00
nvd
nvd
CVE-2022-2885
2022-08-21 08:15:19
cve
cve
CVE-2022-2885
2022-08-21 08:15:19
osv
osv
Cross site scripting in yetiforce/yetiforce-crm
2022-08-22 00:00:49
CVE-2022-2885
2022-08-21 08:15:19
cvelist
cvelist
github
github
Cross site scripting in yetiforce/yetiforce-crm
2022-08-22 00:00:49