Cross Site Scripting

[meshach007m]

Description: Hi, Hereby I would like to report Cross Site Scripting vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which base64 encoded XSS Payload was used to carry out the attack successfully.

Technical Description: Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

Vulnerability Type: Cross Site Scripting

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg== (Will add more when I test other components too)

Attack Vectors: Steps to Replicate:

1. Login into zurmo-crm (User: super user).

2. Go to http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==.

3. The XSS Payload used is base64 encoded “PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==”.

4. Fill the meeting form and click save. XSS will get executed.

Reference: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Discoverer: Meshach. M Organization: StrongBox IT Website: http://www.strongboxit.com/