Exploits / Vulnerability Discovered : 2019-08-02 |
Type : webapps |
Platform : php
This exploit / vulnerability 1crm onpremise software 8.5.7 persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user supplied data using a browser API that can
create JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.
########################################################################################################################
Attack Narratives and Scenarios:
#
#
**Attacker**
#
1. Login as any user
#
2. Click Email icon
#
3. Click Report
#
4. Click Create Report
#
5. Fill Report Name (In our case we fill Company B)
#
6. Assign to Victim (In our case we assigned to admin)
#
7. Click Column Layout
#
8. Click Add empty column
#
9. Input malicious code (In our case:
<script>alert(document.cookie);</script>)
#
10. Click Save
#
#
**Victim**
#
1. Click email icon
#
2. Click Report
#
3. Choose report that we recently created (In our case we choose
Company B) #
4. Click Run Report
#
5. Admin cookie will popup
#
########################################################################################################################