Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtDavid Silveiro1337DAY-ID-25124
HistoryJun 21, 2016 - 12:00 a.m.

YetiForce CRM < 3.1 - Persistent Cross-Site Scripting

2016-06-2100:00:00
David Silveiro
0day.today
77
JSON

Exploit for php platform in category web applications

# Exploit Title: YetiForce CRM < 3.1  - Persistant XSS Vulnerability
# Exploit Author: David Silveiro 
# Exploit Author Github: github.com/davidsilveiro
# Exploit Author Twitter: twitter.com/david_silveiro 
# Vendor Homepage: https://yetiforce.com/
# Software Link: http://sourceforge.net/projects/yetiforce/
# Date: Fixed on 20th June 2016
 
YetiForce CRM was built on a rock-solid Vtiger foundation, but has hundreds of changes that help to accomplish even the most challenging tasks in the simplest way
 
YetiForce is vulnerable to a stored XSS vulnerability present within a users comment section.
 
POC:
 
Within 'Companies & Accounts > Accounts' select your prefered user, and then in the 'Comments' section input;
 
<img src=x onerror=alert('XSS');>
 
Either refresh the current page, or navigate back to 'Accounts'

#  0day.today [2018-03-28]  #
JSON