# Exploit Title: eramba Enterprise & Community Editions Stored XSS
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website: www.yunus.ninja
# Contact: yunusyildirim@protonmail.com
1. ADVISORY INFORMATION
=======================
Product: eramba Open-Source IT GRC
Description: eramba is a web-application that helps with the analysis, management and reporting of Security,
Governance, Risk and Compliance challenges.
Founded in 2011 and followed by a community of tens of thousands, we are building the leading
open-source GRC application on Internet.
Vendor URL: http://www.eramba.org
Download Link: http://www.eramba.org/resources/download/
2. VULNERABILITY SUMMARY
========================
Stored XSS in Notification Page.
eramba is vulnerable to a stored XSS when an user created Notifications with an
malicious payload on the "Notification Name" field.
The html/javascript payload is executed when another user tries to use the
see Notifications.
3. TECHNICAL DETAILS
========================
Stored XSS in Notification Page.
eramba is vulnerable to a stored XSS when an user created Notifications with an
malicious payload on the "Notification Name" field.
The html/javascript payload is executed when another user tries to use the
see Notifications.
4. PROOF OF CONCEPT
========================
PoC for Enterprise or Community Edition:
1- Go, System - Settings - Notifications menu or
Just go http://<eramba-IP>/notificationSystem/attach/Project
2- Click Manage button
3- Add Warning or Add Awareness or Add Default. You can select anyone of them.
4- In "Notification Name" field, here is the payload "><svg/onload=prompt(/CT-Zer0/)>
5- Save it, you see pop-up
/notificationSystem/index/Project
PoC Video: https://www.youtube.com/watch?v=03xNMcpXqTs
5. AFFECTED VERSIONS
====================
Community Edition <= c1.0.6.001
Enterprise Edition <= e1.0.6.018
Vulnerability Disclosure Timeline:
=========================
29/11/2016 - Contact With Vendor
30/11/2016 - Vendor Response
16/12/2016 - Public Dislosure