Call Us - +91 844 8444 025 | Email - [email protected]
mobile-logo

CVE-2023-40810-HTML injection-Product Creation

November 8, 2023
by Marketing Team
    • Vendor of the product(s) –
    • Product Name – OpenCRX
    • Version – exact ver of the product which is vulnerable – 5.2.0
    • Affected component(s) – Product
    • Attack vector(s) – Web Application
    • Suggested description of the vulnerability for use in the CVE- HTML injection on the Product Creation
    • Discoverer(s)/Credits – your name -Nandini Sharma
    • Step by Step POC written in sequential order – prepare a word file for all this.

    Title:  HTML injection at Accounts Creation

    INTRODUCTION

    HTML Injection is a type of web application security vulnerability where an attacker is able to inject malicious HTML code into a web page viewed by other users.  The attack can be launched by an attacker who enters specially crafted HTML code, such as script tags or iframe elements, into the input field. The web application may then display this malicious HTML code to other users, potentially executing the code in their web browser and allowing the attacker to carry out their malicious actions.

    eSecForte Technologies Security Researcher – Nandini Sharma reported a HTML Injection

    Description: HTML Injection in which attacker simple insert payload at product on the name filed and it executed when attacker save the Product Creation.

    Platform/Product: OpenCRX

    Vulnerability Name: Html Injection

    Affected Component: Product Name Field

    Attack Type:

    Impact: 

    HTML injection can result in the modification of web page content or the execution of malicious scripts, leading to the theft of sensitive information, malware distribution, phishing attacks, defacement of websites, or denial of service. It can have a significant impact on the reputation and security of a website and the organization that runs it.

    Recommendation:

    Preventing HTML injection requires proper input validation and sanitization of user input.

    Method of Exploitation

    Step to reproduce: –

Step-1 Navigate to https://demo.opencrx.org/opencrx-core-CRX/ObjectInspectorServlet?requestId=3D06QMASG8CMLDTV63YISTS8F&event=24?loginFailed=false and login as Guest credentials

Step-2 Now, create new Product in the Product Section as shown below: –

Step-3 Now, Insert Html payload in the Name field as shown below:-

Paylaod – <font color=”red”>Esecforte</font>

Note: All the fields in general are vulnerable to HTML Injection

 

Step-4 Now, click on the save button to save this. It has been observed by the auditor that HTML payload execute successfully.

 

Note: Following are the vulnerable fields.

Name,

Product Name,

Detailed Description,

Reason,

Category,

External  Link

[Discoverer]                                                                                                      

Nandini Sharma from eSec Forte Technologies Pvt. Ltd

BlogExploits
Share
Tags:
CVE-2023-40809-HTML injection-search Previous
CVE-2023-40812-HTML injection-Accounts Group Next