eramba Enterprise / Community Cross Site Scripting

# Exploit Title:  eramba Enterprise & Community Editions Stored XSS
# Author: 		  Yunus YILDIRIM (Th3GundY)
# Team: 	  	  CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website: 	  	  www.yunus.ninja
# Contact: 		  yunusyildirim@protonmail.com

 
1. ADVISORY INFORMATION
=======================
Product:        eramba Open-Source IT GRC 
Description:    eramba is a web-application that helps with the analysis, management and reporting of Security, 
				Governance, Risk and Compliance challenges.
				Founded in 2011 and followed by a community of tens of thousands, we are building the leading
				open-source GRC application on Internet.
Vendor URL:     http://www.eramba.org
Download Link:  http://www.eramba.org/resources/download/
 

2. VULNERABILITY SUMMARY
========================

Stored XSS in Notification Page.
eramba is vulnerable to a stored XSS when an user created Notifications with an
malicious payload on the "Notification Name" field.
The html/javascript payload is executed when another user tries to use the
see Notifications.



3. TECHNICAL DETAILS
========================
 
Stored XSS in Notification Page.
eramba is vulnerable to a stored XSS when an user created Notifications with an
malicious payload on the "Notification Name" field.
The html/javascript payload is executed when another user tries to use the
see Notifications.


4. PROOF OF CONCEPT
========================

PoC for Enterprise or Community Edition:
1- Go, System - Settings - Notifications menu or 
	Just go http://<eramba-IP>/notificationSystem/attach/Project
2- Click Manage button
3- Add Warning or Add Awareness or Add Default. You can select anyone of them.
4- In "Notification Name" field, here is the payload "><svg/onload=prompt(/CT-Zer0/)> 
5- Save it, you see pop-up
/notificationSystem/index/Project

PoC Video: https://www.youtube.com/watch?v=03xNMcpXqTs
 

5. AFFECTED VERSIONS
====================
Community Edition <= c1.0.6.001
Enterprise Edition <= e1.0.6.018


Vulnerability Disclosure Timeline:
=========================
29/11/2016   -   Contact With Vendor
30/11/2016   -   Vendor Response
14/12/2016   -   Public Dislosure