Menu

Search for hundreds of thousands of exploits

"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting"

Author

"Kusol Watchara-Apanukorn"

Platform

php

Release date

2019-08-02

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
******************************************************************
*                  1CRM On-Premise Software 8.5.7                *
*                           Stored XSS                           *
******************************************************************


////////////////////////////////////////////////////////////////////////////////////

# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
# Date: 19/07/2019
# Exploit Author: Kusol Watchara-Apanukorn
# Vendor Homepage: https://1crm.com/
# Version: 8.5.7 <=
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-14221
////////////////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////////////////////////////////////////

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
mishandled during a Run Report operation.  ///

//////////////////////////////////////////////////////////////////////////////////////////////////////////////


Vulnerability Description:

XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user supplied data using a browser API that can
create JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.


########################################################################################################################
Attack Narratives and Scenarios:
                                                #

                                                #
**Attacker**
                                                #
1. Login as any user
                                                #
2. Click Email icon
                                                #
3. Click Report
                                                #
4. Click Create Report
                                                #
5. Fill Report Name (In our case we fill Company B)
                                                #
6. Assign to Victim (In our case we assigned to admin)
                                                #
7. Click Column Layout
                                                #
8. Click Add empty column
                                                #
9. Input malicious code (In our case:
<script>alert(document.cookie);</script>)
          #
10. Click Save
                                                #

                                                #
**Victim**
                                                #
1. Click email icon
                                                #
2. Click Report
                                                #
3. Choose report that we recently created (In our case we choose
Company B)                                            #
4. Click Run Report
                                                #
5. Admin cookie will popup
                                                #
########################################################################################################################

PoC

-----------------------------------------

Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md


Vulnerability Disclosure Timeline:
==================================

19 July, 19 : Found Vulnerability

19 July, 19 : Vendor Notification

24 July  19 : Vendor Response

24 July  19 : Vendor Fixed

31 July, 19 : Vendor released new patched version 8.5.10
Release Date Title Type Platform Author
2019-08-20 "WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-19 "YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection" webapps php "Fabian Mosch"
2019-08-19 "Neo Billing 3.5 - Persistent Cross-Site Scripting" webapps php n1x_
2019-08-19 "Kimai 2 - Persistent Cross-Site Scripting" webapps php osamaalaa
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
Release Date Title Type Platform Author
2019-08-02 "1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting" webapps php "Kusol Watchara-Apanukorn"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47206/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47206/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47206/41581/1crm-on-premise-software-857-persistent-cross-site-scripting/download/", "exploit_id": "47206", "exploit_description": "\"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting\"", "exploit_date": "2019-08-02", "exploit_author": "\"Kusol Watchara-Apanukorn\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse