CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)

vendor:

Unknown

by:

Andrea Intilangelo

5.4

CVSS

MEDIUM

Stored XSS (Cross-Site Scripting)

Unknown

CWE

Product Name: Unknown

Affected Version From: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-2023-25440

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)

2023

CiviCRM 5.59.alpha1 – Stored XSS (Cross-Site Scripting)

A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the 'Add Contact' function while creating a contact, in first/second name field, it will be triggered once page gets loaded.

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)
# Date: 2023-02-02
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://civicrm.org
# Software Link: https://civicrm.org/download
# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)
# CVE: CVE-2023-25440 
Vendor Security Advisory: CIVI-SA-2023-05


Description:

A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web
scripts or HTML.

Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name
field, it will be triggered once page gets loaded.


Steps to reproduce:

- Quick Add contact to CiviCRM,
- Insert a payload PoC inside the field(s)
- Click on 'Add contact'.

If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.