PerfectView CRM Cross Site Scripting

2014-07-08T00:00:00
ID PACKETSTORM:127387
Type packetstorm
Reporter Juan Sacco
Modified 2014-07-08T00:00:00

Description

                                        
                                            `# Affected software: PerfectView CRM  
# Description: PerfectView CRM is a software for Relationship Management,  
Marketing & Sales  
# Type of vulnerability: XSS Persistent  
# URL: http://perfectviewcrm.com  
#  
# Discovered by: Provensec  
# Website: http://www.provensec.com  
  
# Description: PerfectView is prone to a Persistent Cross Site Scripting  
attack  
that allows a malicious user to inject HTML or scripts that can access any  
cookies, session tokens, or other  
sensitive information retained by your browser and used with that site.  
# Proof of concept  
# 1. Create a Conversation report as a Normal user inside "To Do".  
# 2. Select the new conversation  
# 3. Add a note with the following value: "><script>alert('XSS by  
Provensec')</script>  
# 5. Save the conversation and use the functionality in To Do menu to  
forward it to a colleague.  
# Screenshot attached  
`