eramba Enterprise & Community Editions Stored XSS

2016.12.17
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: eramba Enterprise & Community Editions Stored XSS # Author: Yunus YILDIRIM (Th3GundY) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Website: www.yunus.ninja # Contact: yunusyildirim@protonmail.com 1. ADVISORY INFORMATION ======================= Product: eramba Open-Source IT GRC Description: eramba is a web-application that helps with the analysis, management and reporting of Security, Governance, Risk and Compliance challenges. Founded in 2011 and followed by a community of tens of thousands, we are building the leading open-source GRC application on Internet. Vendor URL: http://www.eramba.org Download Link: http://www.eramba.org/resources/download/ 2. VULNERABILITY SUMMARY ======================== Stored XSS in Notification Page. eramba is vulnerable to a stored XSS when an user created Notifications with an malicious payload on the "Notification Name" field. The html/javascript payload is executed when another user tries to use the see Notifications. 3. TECHNICAL DETAILS ======================== Stored XSS in Notification Page. eramba is vulnerable to a stored XSS when an user created Notifications with an malicious payload on the "Notification Name" field. The html/javascript payload is executed when another user tries to use the see Notifications. 4. PROOF OF CONCEPT ======================== PoC for Enterprise or Community Edition: 1- Go, System - Settings - Notifications menu or Just go http://<eramba-IP>/notificationSystem/attach/Project 2- Click Manage button 3- Add Warning or Add Awareness or Add Default. You can select anyone of them. 4- In "Notification Name" field, here is the payload "><svg/onload=prompt(/CT-Zer0/)> 5- Save it, you see pop-up /notificationSystem/index/Project PoC Video: https://www.youtube.com/watch?v=03xNMcpXqTs 5. AFFECTED VERSIONS ==================== Community Edition <= c1.0.6.001 Enterprise Edition <= e1.0.6.018 Vulnerability Disclosure Timeline: ========================= 29/11/2016 - Contact With Vendor 30/11/2016 - Vendor Response 16/12/2016 - Public Dislosure

References:

https://www.youtube.com/watch?v=03xNMcpXqTs


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top