Skip to content

Instantly share code, notes, and snippets.

@Dqtdqt

Dqtdqt/CVE-2024-55227.md

Last active February 5, 2025 15:18
Show Gist options
  • Save Dqtdqt/9762466cd6ec541ea265ba33b09489ff to your computer and use it in GitHub Desktop.
Save Dqtdqt/9762466cd6ec541ea265ba33b09489ff to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-55227 - A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta
Raw
CVE-2024-55227.md

Vulnerability Type: Cross Site Scripting (XSS)

Author: Do Quoc Thang

Vendor of Product: Dolibarr

Affected Product Code Base: Dolibarr - 21.0.0-beta

Affected Component: Store XSS vulnerability in Dolibarr Application via Events/Agenda module

Description: Following the security policy at https://github.com/Dolibarr/dolibarr/security/policy, I discovered a stored XSS vulnerability in the Dolibarr Application's Events/Agenda module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. Additionally, it can be leveraged with CSRF exploitation techniques to perform actions under the privileges of the targeted user.

Attack Vectors: The Events/Agenda module tracks events performed by the user, such as sending emails, applying for a job position, or adding an event for someone, etc. This module is designed so that when the cursor hovers over the title or reference of a listed event, a tooltip will be triggered and display some information. To implement the tooltip functionality, Dolibarr processes the user's input data and then assigns the value to the "title" attribute, then tooltip is triggered by moving the cursor over the specified location. When defining the callback for the tooltip, Dolibarr didn't properly sanitize the value received from the title. As a result, an attacker can control the value of the title that the tooltip receives after being triggered, leading to a Stored XSS vulnerability

Details: The data is passed into the tooltip via the "title" attribute: image

The function "getNomURL" will generate an HTML snippet to use a tooltip and return the value of the result in the following format: <a href="'.$url.'" title="……" class=" classfortooltip>……

The function 'getNomURL' will retrieve the value from "$this->note_private": image

And "$this->note_private" will retrieve the input value from the user via: GETPOST($paramname, $check = "restricthtml")

The GETPOST function with $check = "restrichtml" didn't properly handle user input, potentially allowing dangerous values to be inserted into the "title" attribute of the tooltip, such as: ' <script>alert("hello")</script> '

Because of the HTML entity decoding mechanism when the browser processes HTML code, the value returned after the tooltip is triggered will be the value of the "title" attribute after being decoded. Therefore, in the given example, the value passed into the "title" attribute will result in the tooltip displaying the decoded value once it is triggered as: <script>alert("hello")</script>

With the returned result as shown above, the attacker would successfully execute the JavaScript command.

Impact: This XSS vulnerability allows the execution of malicious JavaScript when a victim hovers over a specific location on the web interface. If the victim is a high-privileged user (e.g., an admin), the malicious script can automatically trigger a CSRF request, leveraging the victim's authenticated session to escalate privileges from a regular user to an admin without requiring any additional interaction. This could enable an attacker to take full control of the system, access or modify critical data, and severely impact the confidentiality, integrity, and availability of the system.

Proof of Concept (PoC) & Successful Exploitation: I have successfully exploited this vulnerability to escalate a regular user's privileges to an admin. By using an XSS payload combined with CSRF, I was able to execute privilege escalation without requiring the victim to take any action beyond simply hovering over the XSS-injected element.

PoC Video

CVSS 3.1 Impact Assessment
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Explanation for CVSS Calculation:

  1. Attack Vector (AV): Network (N) - The vulnerability can be exploited remotely over the network.
  2. Attack Complexity (AC): Low (L) - Requires minimal effort to exploit.
  3. Privileges Required (PR): Low (L) - Requires low-level user privileges.
  4. User Interaction (UI): Required (R) - The XSS is triggered when the victim user moves their mouse over the area containing the malicious payload.
  5. Scope (S): Changed (C) - The script executes in the victim's browser but is triggered by content served from the web server, causing an impact across different security boundaries.
  6. Confidentiality Impact (C): High (H) - This vulnerability allows the attacker to access sensitive data without additional user interaction. When the victim moves their mouse over the malicious payload, the attacker can execute commands under the victim’s privileges. This includes escalating privileges to admin, gaining access to any restricted information, or directly viewing data available to the victim.
  7. Integrity Impact (I): High (H) - This vulnerability enables unauthorized modification of data. By exploiting the injected malicious payload, the attacker can execute commands under the victim's privileges, escalate their access to admin, and modify or manipulate data without requiring further interaction from the victim.
  8. Availability Impact (A): High (H) - This vulnerability can disrupt system availability. When the victim triggers the malicious payload, the attacker can execute commands to escalate privileges to admin and alter critical system configurations or functionality, potentially causing system downtime or denial of service—all without requiring further user interaction.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment