Description

The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel->summary parameter is not defined and validated, it’s used directly without any encoding or validation on Workflows/Step1.tpl and Workflows/Step2.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

Proof of Concept

1. 1- Login to the application
2. 2- Access the WidgetsManagement Module via the following URL:
3. https://gitstable.yetiforce.com/index.php?module=Workflows&parent=Settings&view=Edit&record={id}
4. 3-Change the {id} of the previous URL with the valid recordID.
   Change the value of “summary” parameter with the following payload:

Workflow" onfocus="alert(document.domain)" autofocus ""="

**Inject the payload

PoC Video

https://drive.google.com/file/d/1Ri-tO_QjVcugTkroVDi8KxUfkoTJIb6n/view?usp=sharing