OroCRM - Stored XSS Vulnerability

2014-09-11T00:00:00
ID 1337DAY-ID-22625
Type zdt
Reporter Provensec
Modified 2014-09-11T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!
# Discovered by: Provensec
# Website: http://www.provensec.com
# Author: Provensec Labs
# Type of vulnerability: XSS Stored
# Description:

1 Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payload  as given in the screenshot
http://prntscr.com/4lf043 

payload used "><img src=d onerror=confirm(/provensec/);>

2 click save and close button

http://prntscr.com/4lf0ej

#  0day.today [2018-03-13]  #