Ultimate Project Manager CRM PRO v1.3.7 WebShell Upload & Stored XSS Injections

2019.04.17
ru QUIXSS (RU) ru
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

# Title: Ultimate Project Manager CRM PRO v1.3.7 WebShell Upload & Stored XSS Injections # Author: QUIXSS # Date: 2019-04-16 # Software: Ultimate Project Manager CRM PRO v1.3.7 # Technical Details & Description: # Weak file upload filtering (.PHP5/.PHP7 isn't filtering) and multiple Stored XSS vulnerabilitieshas been discovered in the «Ultimate Project Manager CRM PRO» web-application. Current version of this web-application is 1.3.7. # PoC #1 [WebShell Upload]: # It's possible to upload any PHP file via «File Manager» (for the demo website) -> https://hrm-crm.uniquecoder.com/admin/filemanager, just change file type from .PHP to .PHP5 (for PHP v5.X) or .PHP7 (for PHP v7.X) and upload the file. Or just rename your local .PHP file type to .TXT and upload it like this, then rename file type in the «File Manager» back to .PHP5 or .PHP7. Uploaded file will be inside this directory (for the demo website) -> https://hrm-crm.uniquecoder.com/-/ # PoC #2 [Stored XSS Injections]: # The whole web-application doesn't have any input field filters so you can use any input field for Stored XSS Injection. Most usefull fields is «Company Name» and «Legal Name» located (at the demo website) here: https://hrm-crm.uniquecoder.com/admin/settings. Data from this fields will be loaded on literally each page u visit. # Sample payload: "><script>alert('QUIXSS')</script>

References:

https://codecanyon.net/item/ultimate-project-manager-crm-pro/16292398


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top