Advertisement






CiviCRM 5.59.alpha1 Cross Site Scripting

CVE Category Price Severity
CVE-2023-25440 CWE-79 $500 High
Author Risk Exploitation Type Date
N/A High Remote 2023-05-20
CVSS
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023050044

Below is a copy:

CiviCRM 5.59.alpha1 Cross Site Scripting
# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)
# Date: 2023-02-02
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://civicrm.org
# Software Link: https://civicrm.org/download
# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)
# CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05


Description:

A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web
scripts or HTML.

Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name
field, it will be triggered once page gets loaded.


Steps to reproduce:

- Quick Add contact to CiviCRM,
- Insert a payload PoC inside the field(s)
- Click on 'Add contact'.

If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.


Timeline:

2023-01-29: Vulnerability discovered
2023-02-02: Request for CVE reservation
2023-02-04: Vendor contacted
2023-02-06: Vendor replies, acknowledgments and coordinating for advisory
2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-05
2023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget
2023-04-27: Assigned CVE number: CVE-2023-25440
2023-05-18: CVE publication / disclosure

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.