Ekushey Project Manager CRM v3.1 Stored XSS

2019.04.16

QUIXSS (RU)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

«Ekushey Project Manager CRM» have no input field filtering, so you can post any payload u want on almost each page with input field on it.
PoC: go to the authors demo website http://creativeitem.com/demo/ekushey/index.php/login and log in as admin and then go to the «System Settings» page ( http://creativeitem.com/demo/ekushey/index.php/admin/system_settings ). Most usefull fields is «System Name», «System Title» and «Address», test any payload u want, f.e.: "><script>alert(1)</script> or "><img src="x" onerror="window.location.replace('https://cxsecurity.com/');"> - all this stuff will work. The whole project is vunnerable to Stored XSS attacks, so you can save your payloads on almost each page with input field on it: «Manage Client», «Manage Project», «Running Team Tasks», etc. etc.

References:

https://codecanyon.net/item/ekushey-project-manager-crm/9492104

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ekushey Project Manager CRM v3.1 Stored XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.