| Título | WORKSUITE WORKSUITE - HR, CRM and Project Management v5.5.25 Cross Site Scripting |
|---|
| Descripción | 1. Executive Summary
I have identified a Stored Cross-Site Scripting (XSS) vulnerability in the WORKSUITE - HR, CRM and Project Management worksuite.biz application (specifically tested on the demo environment). This vulnerability allows an attacker to inject malicious JavaScript payloads into the "Create Order" form. When an administrator or another user views the created order, the script executes automatically in their browser.
WORKSUITE - HR, CRM and Project Management
last update v5.5.25
2. Vulnerability Details
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Vulnerable Endpoint: https://demo.worksuite.biz/account/orders/create
Vulnerable Parameter: in Client Note
Vector: HTML Injection via <details> tag event handler.
3. Technical Description
The application fails to properly sanitize or encode user input submitted to the order creation form. By injecting a specific HTML5 payload, I was able to trigger arbitrary JavaScript execution.
I utilized the <details> HTML element with the open attribute and the ontoggle event handler. This vector is particularly effective because it does not require user interaction (like clicking a button) to trigger; the browser attempts to render the "open" state immediately upon loading the page, firing the event.
Payload Used:
HTML
<details/open/ontoggle=prompt(origin)>
4. Steps to Reproduce
Log in to the application as a user with permissions to create orders. (admin user)
Navigate to the order creation page: https://demo.worksuite.biz/account/orders/create.
In the Client Note field, input the following payload:
HTML
<details/open/ontoggle=prompt(origin)>
Submit the form to create the order.
Log in as an Administrator (or access the "View Order" page).
Navigate to the newly created order.
Observation: A prompt box appears displaying the page origin, confirming that the JavaScript executed successfully.
5. Impact
This vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's session. Potential impacts include:
Session Hijacking: Stealing administrator session cookies to take over accounts.
Phishing: Modifying the page content to trick users into entering sensitive credentials.
Unauthorized Actions: Performing actions on behalf of the victim (e.g., creating fake admins, deleting data) without their consent.
6. Remediation / Suggested Fix
To mitigate this vulnerability, the following steps are recommended:
Input Sanitization: Implement strict allow-listing for input fields. If HTML is not required, strip all HTML tags.
Output Encoding: Contextually encode all user-supplied data before rendering it in the browser. Convert special characters (<, >, ", ') into their HTML entity equivalents (e.g., <, >).
Content Security Policy (CSP): Implement a robust CSP that restricts the execution of inline scripts and event handlers (e.g., blocking unsafe-inline).
|
|---|
| Usuario | AhmadMarzouk (UID 95993) |
|---|
| Sumisión | 2026-02-28 00:26 (hace 1 mes) |
|---|
| Moderación | 2026-03-14 13:27 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 351072 [Worksuite HR, CRM and Project Management hasta 5.5.25 /account/orders/create Client Note secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 17 |
|---|