CVE-2023-40813-HTML injection-Saved Search
November 9, 2023
Vendor of the product(s) –
-
- Product Name – OpenCRX
- Version – exact ver of the product which is vulnerable – 5.2.0
- Affected component(s) – Saved Search Creation
- Attack vector(s) – Web Application
- Suggested description of the vulnerability for use in the CVE- HTML injection on the Saved Search Creation
- Discoverer(s)/Credits – your name -Nandini Sharma
- Step by Step POC written in sequential order – prepare a word file for all this.
Step-1 Navigate to https://demo.opencrx.org/opencrx-core-CRX/ObjectInspectorServlet?requestId=3D06QMASG8CMLDTV63YISTS8F&event=24?loginFailed=false and login as Guest credentials
Step-2 Now, create new Saved Search-Activity in the Activity Tracker as shown below: –
Step-3 Now, Insert Html payload in the Name and description field as shown below: –
Paylaod – <font color=”blue”>Esecforte</font>
Step-4 Now, click on the save button to save this activity. It has been observed by the auditor that HTML payload executed.
[Discoverer]
Nandini Sharma from eSec Forte Technologies Pvt. Ltd