Persistent Cross Site Scripting - WidgetsManagement Module - Settings in yetiforcecompany/yetiforcecrm
Reported on
Aug 19th 2022
Description
The application uses Purifier to avoid the Cross Site Scripting attack. However, On WidgetsManagement module from Settings, the "title"parameter is not validated and it's used directly without any encoding or validation on Vitger/dashboards/ChartFilter.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.
Proof of Concept
- 1- Login to the application
- 2- Access the WidgetsManagement Module via the following URL:
https://gitstable.yetiforce.com/index.php?module=WidgetsManagement&parent=Settings&view=Configuration- 3-Click to the button "Edit chart from filter". Change the value of "title" parameter with the following payload:
Widgets" onfocus="alert(document.domain)" autofocus ""="
**Inject the payload
PoC Video
https://drive.google.com/file/d/1mqJq_e1sfnUyQ-amBujR2Bes2lUiQZVF/view?usp=sharing
Impact
An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
Occurrences
Hi @admin, the bug has been fixed, but @rskrzypczak not change the status of this report. Please check: https://github.com/YetiForceCompany/YetiForceCRM/commit/b716ecea340783b842498425faa029800bd30420#diff-9ac35062c8895bf2adb08710f42e87cd3ff45dd40c1dc53d62d9511782e483eb