Summary

Vtiger (https://www.vtiger.com/open-source/) is an open source CRM web application. The open source version 6.4 is affected by a stored/persistent XSS (Cross site scripting) vulnerability within the web ui which allows remote authenticated users to gain additional privileges through XSS attacks on other users of the CRM.

Details & Proof of Concept

The authenticated low privileged user creates an organization with the name:

manual=“%26amp%3Blt%3Bimg%20src%3Dx%20onerror%3D%22alert(‚XSS‘)%3B%22″ message=“XSS payload“ highlight=““ provider=“manual“/

After saving the new organization every user who accesses the organizations tab and has the „Recently Modified“ widget open (default) will run the malicious code including admins.

Input:

Pop:

Resulting code:

Timeline

18.01.2016 – Vulnerability discovered and contacted cve-assign@mitre.org
23.01.2016 – Contacted vTiger support
27.01.2016 – Vtiger opened an issue for the vulnerability
21.03.2016 – Patch commited to working branch
06.06.2016 – MITRE assigns CVE-2016-5324

Links

http://code.vtiger.com/vtiger/vtigercrm/issues/93

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5324

Additional notes

One may wonder why the fix is using blacklisting of functions as this is proven to be faulty by design.

I already contacted them again with a new proof of concept on the 21. March but they don’t seem to have fixed the issue.

Worth another CVE? Feel free to give it a try!
But remember to give the vendor enough time to fix the issue.

Vtiger version 6.5.0 is being planned in Q3 / Q4 2016.

Happy pentesting