Product Name: OpenCRX
Version: 5.2.0
Affected Component
Activity Tracker Name Field
Attack Vector
Web Application
Vulnerability Description
A cross-site scripting (XSS) vulnerability exists in the Activity Tracker Name field of OpenCRX version 5.2.0. This vulnerability allows an attacker to inject malicious HTML code into the web application, which can be executed by other users when they view the affected page.
The attack can be launched by an attacker who enters specially crafted HTML code, such as script tags or i frame elements, into the Activity Tracker Name field. The web application may then display this malicious HTML code to other users, potentially executing the code in their web browser and allowing the attacker to carry out their malicious actions.
Impact
HTML injection can have a significant impact on the reputation and security of a website and the organization that runs it. Potential consequences include:
Theft of sensitive information
Malware distribution
Phishing attacks
Defacement of websites
Denial of service
METHOD OF EXPLOITATION
To reproduce this vulnerability, an attacker can follow these steps:
1. Navigate to the OpenCRX demo website at https://demo.opencrx.org/opencrx-core-C ... iled=false
2. Log in using the Guest credentials.
3. Create a new tracker in the Manage Activity section.
4. Enter the following HTML payload into the Name field:
Code: Select all
<font color=”red”>Hacked by TheVikingsofDW</font>5. Click the Save button.
The malicious HTML code will be executed when the activity is saved, and it will be displayed to all users who view the activity list.