Persistent Cross Site Scripting - Workflow Module - Settings in yetiforcecompany/yetiforcecrm

Valid

Reported on

Aug 19th 2022


Description

The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel->summary parameter is not defined and validated, it's used directly without any encoding or validation on Workflows/Step1.tpl and Workflows/Step2.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

Proof of Concept

  1. 1- Login to the application
  2. 2- Access the WidgetsManagement Module via the following URL:
  3. https://gitstable.yetiforce.com/index.php?module=Workflows&parent=Settings&view=Edit&record={id}
  4. 3-Change the {id} of the previous URL with the valid recordID. Change the value of "summary" parameter with the following payload:
Workflow" onfocus="alert(document.domain)" autofocus ""="

**Inject the payload Payload

PoC

PoC Video

https://drive.google.com/file/d/1Ri-tO_QjVcugTkroVDi8KxUfkoTJIb6n/view?usp=sharing

Impact

An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. a month ago
thanhlocpanda modified the report
a month ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back a month ago
thanhlocpanda modified the report
a month ago
We have sent a follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. a month ago
thanhlocpanda modified the report
a month ago
Radosław Skrzypczak validated this vulnerability a month ago
thanhlocpanda has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 25 days ago
We have sent a second fix follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 10 days. 18 days ago
We have sent a third and final fix follow up to the yetiforcecompany/yetiforcecrm team. This report is now considered stale. 8 days ago
thanhlocpanda
4 days ago

Researcher


Hi @admin, the bug has been fixed by @rskrzypczak, please help me review and publish the CVE. You can check with the following commit: https://github.com/YetiForceCompany/YetiForceCRM/commit/cd82ecce44d83f1f6c10c7766bf36f3026de024a#diff-19252b5c61368ca2e02f56793abe97739fb753c6189b12d2a07160638d00f0c8 https://github.com/YetiForceCompany/YetiForceCRM/commit/cd82ecce44d83f1f6c10c7766bf36f3026de024a#diff-d5a25f087c0dcd145b307d7e394008aa5598cbdbd2d3517ad7e634850f8b73e5

Radosław Skrzypczak confirmed that a fix has been merged on cd82ec 3 days ago
The fix bounty has been dropped
Step2.tpl#L16 has been validated
Step1.tpl#L53 has been validated
to join this conversation