Feng Office - Persistent Cross-Site Scripting

EDB-ID:

34277

CVE:

N/A




Platform:

PHP

Date:

2014-08-06


# Affected software: Feng Office - URL: http://www.fengoffice.com/web/demo.php
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
#
# Feng Office is a Collaboration tool that includes a CRM, Communication,
Document Management, Tasks, E-mails, Documents, Internal messages, Time
tracking,
Billing, Calendar, Gantt Charts, Reminders, and more.
#
# Description: Feng Office is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
# 1. Create or Edit a client
# 2. Complete the field Name ( customer[name] ) using this value:
"><script>alert('XSS by Provensec')</script>
# 3. Save changes.
# 4. Share your client in the Activity feed to infect others.