Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Vulnerability: Cross-Site Scripting via Import Vcard
# Tophe Guevara / Deltek
# CVE-2019-15950
Description: An authenticated user with access to contacts is able to upload vcard files that contain cross-site scripting payload. Script
will execute once vcard is successfully imported.
# Product: Redmine CRM Plugin
# Reported: Nov 2018 | Fixed by Vendor: April 2019
# Vulnerable version: CRM < 4.2.4
# Reference: https://www.redmineup.com/pages/plugins/crm/updates (Apr 15, 2019 (Version: 4.2.4))
----
PoC:
Upload a file that contains a payload:
Filename: vcardXSS
<script>alert("XSS! on your Vcards!")</script>