1CRM On-Premise Software 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1688780 漏洞类型 跨站脚本
发布时间 2019-08-03 更新时间 2019-09-04
CVE编号 CVE-2019-14221 CNNVD-ID CNNVD-201908-289
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080011
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-289
|漏洞详情
1CRM Systems 1CRM On-Premise Software是加拿大1CRM Systems公司的一套内部部署CRM(客户关系管理)系统。 1CRM Systems 1CRM On-Premise Software 8.5.7版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP
******************************************************************
*                  1CRM On-Premise Software 8.5.7                *
*                           Stored XSS                           *
******************************************************************


////////////////////////////////////////////////////////////////////////////////////

# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
# Date: 19/07/2019
# Exploit Author: Kusol Watchara-Apanukorn
# Vendor Homepage: https://1crm.com/
# Version: 8.5.7 <=
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-14221
////////////////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////////////////////////////////////////

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
mishandled during a Run Report operation.  ///

//////////////////////////////////////////////////////////////////////////////////////////////////////////////


Vulnerability Description:

XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user supplied data using a browser API that can
create JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.


########################################################################################################################
Attack Narratives and Scenarios:
                                                #

                                                #
**Attacker**
                                                #
1. Login as any user
                                                #
2. Click Email icon
                                                #
3. Click Report
                                                #
4. Click Create Report
                                                #
5. Fill Report Name (In our case we fill Company B)
                                                #
6. Assign to Victim (In our case we assigned to admin)
                                                #
7. Click Column Layout
                                                #
8. Click Add empty column
                                                #
9. Input malicious code (In our case:
<script>alert(document.cookie);</script>)
          #
10. Click Save
                                                #

                                                #
**Victim**
                                                #
1. Click email icon
                                                #
2. Click Report
                                                #
3. Choose report that we recently created (In our case we choose
Company B)                                            #
4. Click Run Report
                                                #
5. Admin cookie will popup
                                                #
########################################################################################################################

PoC

-----------------------------------------

Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md


Vulnerability Disclosure Timeline:
==================================

19 July, 19 : Found Vulnerability

19 July, 19 : Vendor Notification

24 July  19 : Vendor Response

24 July  19 : Vendor Fixed

31 July, 19 : Vendor released new patched version 8.5.10

|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/153859/1CRM-On-Premise-Software-8.5.7-Cross-Site-Scripting.html


来源:www.exploit-db.com

链接:https://www.exploit-db.com/exploits/47206