← Advisories

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Medium

Advisory ID

ZSL-2014-5169

Release Date

20 February 2014

Vendor

IWCn Systems Inc. - http://www.iwcn.ws

Affected Version

1.0

CVE

CVE-2014-10008, CVE-2014-10009

Tested On

Nginx, PHP, MySQL

Summary

This is a light weight CRM which simplifies process of managing staff, client and projects.

Description

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

starkcrm_mv.txtTXT

Disclosure Timeline

03.02.2014Vulnerabilities discovered.

07.02.2014Vendor notified with sent details.

07.02.2014Vendor confirms issues, started developing patch.

17.02.2014Asked vendor for status update.

19.02.2014No response from the vendor.

20.02.2014Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References