Eramba Enterprise & Community Editions Stored XSS
Posted on 30 November -0001
<HTML><HEAD><TITLE>eramba Enterprise & Community Editions Stored XSS</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: eramba Enterprise & Community Editions Stored XSS # Author: Yunus YILDIRIM (Th3GundY) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Website: www.yunus.ninja # Contact: yunusyildirim@protonmail.com 1. ADVISORY INFORMATION ======================= Product: eramba Open-Source IT GRC Description: eramba is a web-application that helps with the analysis, management and reporting of Security, Governance, Risk and Compliance challenges. Founded in 2011 and followed by a community of tens of thousands, we are building the leading open-source GRC application on Internet. Vendor URL: http://www.eramba.org Download Link: http://www.eramba.org/resources/download/ 2. VULNERABILITY SUMMARY ======================== Stored XSS in Notification Page. eramba is vulnerable to a stored XSS when an user created Notifications with an malicious payload on the "Notification Name" field. The html/javascript payload is executed when another user tries to use the see Notifications. 3. TECHNICAL DETAILS ======================== Stored XSS in Notification Page. eramba is vulnerable to a stored XSS when an user created Notifications with an malicious payload on the "Notification Name" field. The html/javascript payload is executed when another user tries to use the see Notifications. 4. PROOF OF CONCEPT ======================== PoC for Enterprise or Community Edition: 1- Go, System - Settings - Notifications menu or Just go http://<eramba-IP>/notificationSystem/attach/Project 2- Click Manage button 3- Add Warning or Add Awareness or Add Default. You can select anyone of them. 4- In "Notification Name" field, here is the payload "><svg/onload=prompt(/CT-Zer0/)> 5- Save it, you see pop-up /notificationSystem/index/Project PoC Video: https://www.youtube.com/watch?v=03xNMcpXqTs 5. AFFECTED VERSIONS ==================== Community Edition <= c1.0.6.001 Enterprise Edition <= e1.0.6.018 Vulnerability Disclosure Timeline: ========================= 29/11/2016 - Contact With Vendor 30/11/2016 - Vendor Response 16/12/2016 - Public Dislosure</BODY></HTML>