Stored XSS in 'Table name' field via Database information function in yetiforcecompany/yetiforcecrm
Aug 16th 2022
When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases:
- (1) An internal attacker (local) with access right to the database could insert malicious content into the
table namefield by creating a table in the database.
- (2) The second possible case is when the system administrator performs a malicious import of the database from an unknown source with the
table namefield injected by malicious content.
Proof of Concept
CREATE TABLE `yetiforce`.`<script>alert('stored_xss')</script>` ( `id` INT NOT NULL ) ENGINE = InnoDB CHARSET=armscii8 COLLATE armscii8_general_nopad_ci;
- Step 1: The internal attacker create a new table with the payload above.
- Step 2: Access
Database informationfunction in Admin Dashboard > Logs > Server configuration
- Step 3: The XSS should fire immediately when detailed information about the database is loaded.
This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites,...