Multiple Stored XSS in EPESI

vendor:

EPESI

by:

Zeeshan Shaikh

8,8

CVSS

HIGH

Stored XSS

CWE

Product Name: EPESI

Affected Version From: 1.8.2 rev20170830

Affected Version To: 1.8.2 rev20170830

Patch Exists: Yes

Related CWE: CVE-2017-14712 to CVE-2017-14717

CPE: 2.3:a:epe.si:epe.si:1.8.2:*:*:*:*:*:*:*

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Web-based

2017

Multiple Stored XSS in EPESI

Multiple Stored XSS vulnerabilities exist in EPESI, a web-based business information manager. The vulnerabilities exist in the Tasks, Phonecalls, Notes, and Alerts modules. An attacker can exploit these vulnerabilities by creating a new task, phonecall, note, or alert and entering malicious JavaScript code in the title, description, or subject fields. The malicious code will be stored in the database and executed when the user views the task, phonecall, note, or alert.

Mitigation:

The vendor has released a patch to address these vulnerabilities. Users should upgrade to the latest version of EPESI.

Source

Exploit-DB raw data:

# Exploit Title: Multiple Stored XSS in EPESI
# Date: 10/03/2017
# Exploit Author: Zeeshan Shaikh
# Vendor Homepage: http://epe.si/
# Software Link: http://epe.si/download/
# Version: 1.8.2 rev20170830
# CVE : CVE-2017-14712 to CVE-2017-14717
# Category: webapps


XSS 1 (Tasks - Title)
Steps to recreate:
1. Home->Tasks->add new
2. Enter title as "MYTITLE" and fill required details but don't click save
3. Start interceptor and intercept request
4. click save
5. Now replace MYTITLE with "<i onclick=alert(1)>alertme</i>"(without
quotes)
6. Home->click on alertme

XSS 2 (Tasks - Description)
Steps to recreate:
1. Create a new task and fill description as "MYDESC" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYDESC with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon

XSS 3 (Tasks/Phonecall - Notes - Title)
Steps to recreate:
1. Home->Tasks/PhoneCall->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in notes section

XSS 4 (Tasks - Alerts - Title)
Steps to recreate:
1. Home->Tasks->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in alerts section

XSS 5 (Phonecalls - Subject)
Steps to recreate:
1. Create a new phonecall and fill subject as "MYSUB" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYSUB with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon

XSS 6 (Phonecalls - Description)
Same as XSS 5