CiviCRM 5.59.alpha1 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) # Date: 2023-02-02 # Exploit Author: Andrea Intilangelo # Vendor Homepage: # Software Link: # Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier) # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70) # CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05 Description: A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name field, it will be triggered once page gets loaded. Steps to reproduce: - Quick Add contact to CiviCRM, - Insert a payload PoC inside the field(s) - Click on 'Add contact'. If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered. Timeline: 2023-01-29: Vulnerability discovered 2023-02-02: Request for CVE reservation 2023-02-04: Vendor contacted 2023-02-06: Vendor replies, acknowledgments and coordinating for advisory 2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-05 2023-02-15: Vendor Security Advisory publication on 2023-04-27: Assigned CVE number: CVE-2023-25440 2023-05-18: CVE publication / disclosure

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top