| Titre | Talentera Talentera for recruitement agencies (CMS) latest Cross Site Scripting |
|---|
| Description | Description:
This vulnerability stems from insufficient sanitization of user-controlled input within the platform. Specifically, the application reflects unvalidated data in the response without proper encoding, allowing attackers to inject malicious JavaScript. This can be used to steal sensitive information, such as session tokens, manipulate content, or perform actions on behalf of the victim.
Impact:
The impact of this vulnerability is significant as it allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. Potential consequences include:
- Compromise of user sessions or sensitive data.
- Unauthorized actions performed on behalf of the victim.
- Harm to the platform’s reputation and user trust.
Steps to Reproduce:
- Go to the vulnerable page, e.g., https://TARGET.com/app/control/byt_cv_manager?byt_cv_stage=30&cv_id=93857712&x_cord=0&y_cord=0&width=&height=&original_image=&view=cv-edit&redirect_url=wss://TARGET.com/%0d%0AContent-Type:text/html;charset=utf-8%0D%0A%0D%0A%3Cimg%20src%3Dx%20onerror%3Dalert%281%29&order_from=mycv&csrf_token=&email_action_p=0&upload_file=%ff%d8%ff (as an authenticated user)
- Observe that the <img tag is reflected and the javascript event handler is executed within the page.
NOTE : We took advantage of the reflection of the redirect_url parameter in the 302 response to exploit a CRLF injection + xss + bypassing the sanitazor using ws:// scheme) to make a full response rewriting . but note that this payload only working in firefox.
Proof of Concept:
Please see screenshot here: https://cloudphoto.ro/en/OVcHC1Pb3twmFC7
Password: talentera |
|---|
| La source | ⚠️ https://www.talentera.com/en/recruitment-agencies/ |
|---|
| Utilisateur | NikolaT3sla (UID 30112) |
|---|
| Soumission | 28/11/2024 11:19 (il y a 2 ans) |
|---|
| Modérer | 08/12/2024 08:59 (10 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 287266 [Talentera jusqu’à 20241128 byt_cv_manager redirect_url cross site scripting] |
|---|
| Points | 20 |
|---|