Stored XSS in 'Table name' field via Database information function in yetiforcecompany/yetiforcecrm
Valid
Reported on
Aug 16th 2022
Description
When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases:
- (1) An internal attacker (local) with access right to the database could insert malicious content into the
table namefield by creating a table in the database. - (2) The second possible case is when the system administrator performs a malicious import of the database from an unknown source with the
table namefield injected by malicious content.
Proof of Concept
Payload
CREATE TABLE `yetiforce`.`<script>alert('stored_xss')</script>` ( `id` INT NOT NULL ) ENGINE = InnoDB CHARSET=armscii8 COLLATE armscii8_general_nopad_ci;
Reprodution steps
- Step 1: The internal attacker create a new table with the payload above.
- Step 2: Access
Database informationfunction in Admin Dashboard > Logs > Server configuration
- Step 3: The XSS should fire immediately when detailed information about the database is loaded.
Impact
This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites,...
References
We are processing your report and will contact the
yetiforcecompany/yetiforcecrm
team within 24 hours.
9 months ago
We have contacted a member of the
yetiforcecompany/yetiforcecrm
team and are waiting to hear back
9 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation