Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2020-27161 | CWE-79 | $2,000 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Cybersecurity Researcher | High | Remote | 2019-04-25 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N | 0.02192 | 0.50148 |
[*] :: Title: Perfex - Powerful Open Source CRM v2.3.4 Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-04-25 [*] :: Software: Perfex - Powerful Open Source CRM v2.3.4 [?] :: Technical Details & Description: # Weak security measures like bad input fields data filtering has been discovered in the Perfex - Powerful Open Source CRM. Current version of this web-application is 2.3.4. [?] :: Demo Website: # https://codecanyon.net/item/perfex-powerful-open-source-crm/14013737 # Backend: https://www.perfexcrm.com/demo/admin/authentication # Login/Password (admin): [email protected]/123123 [!] :: Special Note: # Author of this web-application was warned about bad security measures. Nothing has changed. [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # https://www.perfexcrm.com/demo/admin # https://www.perfexcrm.com/demo/admin/authentication # https://www.perfexcrm.com/demo/authentication/login # https://www.perfexcrm.com/demo/knowledge-base [+] :: PoC [Stored XSS Injection]: # Authorize on the demo website for tests, then go to https://www.perfexcrm.com/demo/admin/settings page. On the Company Name input field use payload like " onload="alert('QUIXSS');"/>, save the data and then you'll see that XSS filter is not triggered and your payload is successfully injected. # Sample payload #1: " onload="alert('QUIXSS');"/> # Sample payload #2: " onload="alert('QUIXSS');window.open('https://cxsecurity.com/');"/>
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.