Description: Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
Proof of concept:
Step1: Login to the CRM.
Step2: In the search panel, use the malicious javascript and hit enter the code will get executed successfully.
Affected software: EspoCRM-5.3.6
Type of vulnerability: Non-Persistent or Type-II XSS
Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Balvinder Singh
Description: Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
Proof of concept:
Step1: Login to the CRM.
Step2: In the search panel, use the malicious javascript and hit enter the code will get executed successfully.
VulnerableURL: http://localhost/EspoCRM-5.3.6/EspoCRM-5.3.6/#Account
The text was updated successfully, but these errors were encountered: