Persistent Cross Site Scripting - BusinessHours Module - Settings in yetiforcecompany/yetiforcecrm

Valid

Reported on

Aug 19th 2022


Description

The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

Proof of Concept

  1. 1- Login to the application
  2. 2- Access the BusinessHours Module (Edit) via the following URL:
  3. https://gitstable.yetiforce.com/index.php?module=BusinessHours&parent=Settings&view=Edit&record={id}
  4. 3- Change the {id} of the previous URL with the valid recordID. Change the value of "name" parameter with the following payload:
BusinessHours" onfocus="alert(document.domain)" autofocus ""="

**Inject the payload Payload PoC

PoC Video

https://drive.google.com/file/d/1eOMZ1-ltqBA4OgJh1s14sRllXnqoU8XV/view?usp=sharing

Impact

An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 4 months ago
thanhlocpanda modified the report
4 months ago
thanhlocpanda modified the report
4 months ago
thanhlocpanda modified the report
4 months ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 3 months ago
thanhlocpanda modified the report
3 months ago
thanhlocpanda modified the report
3 months ago
We have sent a follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 3 months ago
thanhlocpanda modified the report
3 months ago
Mariusz Krzaczkowski validated this vulnerability 3 months ago
thanhlocpanda has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the yetiforcecompany/yetiforcecrm team. This report is now considered stale. 3 months ago
thanhlocpanda
3 months ago

Researcher


Hi @admin, @mariuszkrzaczkowski fixed my security report 24 days ago, please help me to solve this problem and publish the CVE. You can check the commit: https://github.com/YetiForceCompany/YetiForceCRM/commit/54728becfdad9b6e686bbe336007cba2ce518248#diff-f9364cb7859e4c25166032dd4585de38ada54f1c106cadf1968baf7d0902dd61

Jamie Slome
3 months ago

Admin


It looks like the maintainer is going through the reports and updating the fixes, please allow som time and some patience for the maintainer to finish this 👍

Radosław Skrzypczak marked this as fixed in 6.4.0 with commit 54728b 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
EditViewBlocks.tpl#L32 has been validated
to join this conversation