Feng Office XSS Stored Vulnerability

vendor:

Feng Office

by:

Provensec

4,3

CVSS

MEDIUM

XSS Stored

CWE

Product Name: Feng Office

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: a:feng_office:feng_office

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Feng Office XSS Stored Vulnerability

Feng Office is prone to a Persistent Cross Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. Proof of concept: 1. Create or Edit a client 2. Complete the field Name ( customer[name] ) using this value: "><script>alert('XSS by Provensec')</script> 3. Save changes. 4. Share your client in the Activity feed to infect others.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Affected software: Feng Office - URL: http://www.fengoffice.com/web/demo.php
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
#
# Feng Office is a Collaboration tool that includes a CRM, Communication,
Document Management, Tasks, E-mails, Documents, Internal messages, Time
tracking,
Billing, Calendar, Gantt Charts, Reminders, and more.
#
# Description: Feng Office is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
# 1. Create or Edit a client
# 2. Complete the field Name ( customer[name] ) using this value:
"><script>alert('XSS by Provensec')</script>
# 3. Save changes.
# 4. Share your client in the Activity feed to infect others.