Summary
There is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application.
PoC
Navigate to an existing group on the application.
In the group, create a new role with the input being "><img src=x onerror=alert(1)>.
Submit the role by clicking the Add New Role button. The frontend sends an API POST request to /crm/api/groups/<GROUP_ID/roles.
The page will automatically reload, and after waiting a few seconds, the JavaScript alert box appears.
Impact
This vulnerability can result in malicious actions against the application, such as account takeover, if an administrator accesses the application by modifying a user's password. This executes whenever the user visits a webpage vulnerable to XSS.
10splayaSec Reporter
Summary
There is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application.
PoC
Navigate to an existing group on the application.
In the group, create a new role with the input being
"><img src=x onerror=alert(1)>.Submit the role by clicking the Add New Role button. The frontend sends an API POST request to
/crm/api/groups/<GROUP_ID/roles.The page will automatically reload, and after waiting a few seconds, the JavaScript alert box appears.
Impact
This vulnerability can result in malicious actions against the application, such as account takeover, if an administrator accesses the application by modifying a user's password. This executes whenever the user visits a webpage vulnerable to XSS.