Zurmo CRM – Persistent Cross-Site Scripting

• Exploit Database
• 6 阅读

• 作者： Provensec
  日期： 2014-07-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33953/

• # Affected software: Zurmo CRM
  # Zurmo is an Open Source Customer Relationship Management (CRM)
  application that is
  # mobile, social, and gamified. We use a test-driven methodology for
  building every part of the # application.
  # Type of vulnerability: XSS Stored
  # URL: zurmo.com
  #
  # Discovered by: Provensec
  # Website: http://www.provensec.com
  
  # Description: ZumoCRM is prone to a Persistent Cross Site Scripting attack
  that allows a malicious user to inject HTML or scripts that can access any
  cookies, session tokens, or other
  sensitive information retained by your browser and used with that site.
  # Proof of concept
  # 1. Create a report as a Normal user
  # 2. Select module: Accounts
  # 3. Select filter: Name
  # 4. Select column Employees and as a value use: "><script>alert('XSS by
  Provensec')</script>
  # 5. Save the report and share it with other users to distribute your
  malicious code.