Summary
Vtiger (https://www.vtiger.com/open-source/) is an open source CRM web application. The open source version 6.4 is affected by a stored/persistent XSS (Cross site scripting) vulnerability within the web ui which allows remote authenticated users to gain additional privileges through XSS attacks on other users of the CRM.
Details & Proof of Concept
The authenticated low privileged user creates an organization with the name:
After saving the new organization every user who accesses the organizations tab and has the „Recently Modified“ widget open (default) will run the malicious code including admins.
Input:
Pop:
Resulting code:
Timeline
18.01.2016 – Vulnerability discovered and contacted cve-assign@mitre.org
23.01.2016 – Contacted vTiger support
27.01.2016 – Vtiger opened an issue for the vulnerability
21.03.2016 – Patch commited to working branch
06.06.2016 – MITRE assigns CVE-2016-5324
Links
http://code.vtiger.com/vtiger/vtigercrm/issues/93
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5324
Additional notes
One may wonder why the fix is using blacklisting of functions as this is proven to be faulty by design.
I already contacted them again with a new proof of concept on the 21. March but they don’t seem to have fixed the issue.
Worth another CVE? Feel free to give it a try!
But remember to give the vendor enough time to fix the issue.
Vtiger version 6.5.0 is being planned in Q3 / Q4 2016.
Happy pentesting