EspoCRM 5.6.8 Stored XSS on Knowledge Base Article
Credit: Gaurav Narwani
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-14550 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14550
CVE ID: CVE-2019-14550
Date of Disclosure: 3rd August 2019
Vendor, Product – EspoCRM, EscpoCRM
Affected Product: EspoCRM Version 5.6.8
Severity Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (CVSS Base Score:8.5)
Description:
During the assessment, it was observed that the Edit Dashboard Feature doesn’t have a prevention for Cross Site Scripting. Hence when a value “><svg/onload=alert(document.cookie)> was added inside the tab list a javascript fired. Hence when an attacker could save this javascript inside edit dashboard, it would fire everytime the edit dashboard is loaded. The tab list doesn’t have proper XSS validation in place which helps execute the malicious javascript and hence gain the cookies of the victim. With this cookie the attacker can log in to victims account and basically have complete takeover of his account and perform malicious actions on his behalf.
Proof of Concept:
Affected Component: Tab list inside the Edit Dashboard Feature.
Stored XSS when editing dashboard.