Vtiger (https://www.vtiger.com/open-source/) is an open source CRM web application. The open source version 6.4 is affected by a stored/persistent XSS (Cross site scripting) vulnerability within the web ui which allows remote authenticated users to gain additional privileges through XSS attacks on other users of the CRM.
Details & Proof of Concept
The authenticated low privileged user creates an organization with the name:
manual=“%26amp%3Blt%3Bimg%20src%3Dx%20onerror%3D%22alert(‚XSS‘)%3B%22″ message=“XSS payload“ highlight=““ provider=“manual“/
After saving the new organization every user who accesses the organizations tab and has the „Recently Modified“ widget open (default) will run the malicious code including admins.
18.01.2016 – Vulnerability discovered and contacted firstname.lastname@example.org
23.01.2016 – Contacted vTiger support
27.01.2016 – Vtiger opened an issue for the vulnerability
21.03.2016 – Patch commited to working branch
06.06.2016 – MITRE assigns CVE-2016-5324
One may wonder why the fix is using blacklisting of functions as this is proven to be faulty by design.
I already contacted them again with a new proof of concept on the 21. March but they don’t seem to have fixed the issue.
Worth another CVE? Feel free to give it a try!
But remember to give the vendor enough time to fix the issue.
Vtiger version 6.5.0 is being planned in Q3 / Q4 2016.