Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Writeup for CVE-2019-16417

Summary

A cross-site-scripting (XSS) issue was discovered in HRworks FLOW 3.36.9. An attacker could exploit this by storing persistent scripts which would lead to unwanted code execution when visiting an affected page.

Export Title

Stored XSS - HRworks FLOW v3.36.9

Vendor Homepage

https://www.hrworks.de

Exploit Author

Sven Grossmann / Lufthansa Industry Solutions

Contact

https://github.com/svennergr / https://twitter.com/svennergr

Website

https://www.lufthansa-industry-solutions.com

Category

webapps

CVE

CVE-2019-16417

Timeline

  • 2019-09-16 Disclosure to vendor
  • 2019-09-18 Vendor informed, that the will be fixed with the next product version (v3.37.0)
  • 2019-09-23 Vendor published a fixed product version (v3.37.0)

Proof of Concept

  1. Open HRWorks FLOW.
  2. Create new a travel expense report.
  3. Almost every field in the form is vulnerable to a XSS flaw. e.g. enter raw HTML/JS as the purpose of the report: <script>alert('xss')</script>
  4. The HTML/JS will be executed when opening the report or showing the report's purpose in the overview.

Also see CVE-2019-16417-poc-1.jpg and CVE-2019-16417-poc-2.jpg.

Solution

As date of publication all versions above 3.37.0 are save to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.