Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Product             : 1CRM On-Premise Software
Vulnerability Name  : Stored Cross-Site Scripting
version             : 8.5.7
Fixed on            : 8.5.10
Test on             : CentOS 7.6.1810 (Core)
Reference           : https://1crm.com
CVE-Number          : CVE-2019-14221

Description

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishandled during a Run Report operation.

PoC

Attacker

  1. Login as any user
  2. Click Email icon
  3. Click Report
  4. Click Create Report

1

  1. Fill Report Name
  2. Assign to Victim (In this example we assigned to admin)

2

  1. Click Column Layout
  2. Click Add empty column

3

  1. Input malicious code (ex. <script>alert(document.cookie);</script>)

4

  1. Click Save

5

Victim

  1. Click email icon
  2. Click Report
  3. Choose report that we recently created

6

  1. Click Run Report

7

  1. Admin cookie will popup

8

PoC Video

https://youtu.be/hfqgPatMLRc

Credit

Kusol Watchara-Apanukorn (SHA999)

References

https://nvd.nist.gov/vuln/detail/CVE-2019-14221