Title: Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
Advisory ID: ZSL-2016-5308
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.02.2016

Summary

Infor® CRM, formerly Saleslogix, is an award-winning customer relationship management (CRM) solution that provides a complete view of customer interactions, so your business can collaborate and respond promptly and knowledgably to customer inquiries, sales opportunities, and service requests. Infor CRM includes a robust suite of sales, marketing, and service capabilities, to offer businesses of all sizes a fast, flexible, and affordable solution for finding, winning, and growing profitable customer relationships.

Description

Infor CRM suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST/PUT parameters in JSON format is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Infor - http://www.infor.com

Affected Version

8.2.0.1136

Tested On

Microsoft-IIS/8.5
ASP.NET/4.0.30319

Vendor Status

[21.01.2016] Vulnerability discovered.
[29.01.2016] Vendor informed about a security issue.
[29.01.2016] Vendor promises to reply for more info.
[13.02.2016] No reply from the vendor.
[14.02.2016] Contact with the vendor.
[25.02.2016] No response from the vendor.
[26.02.2016] Public security advisory released.

PoC

inforcrm_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2016020219
[2] https://www.exploit-db.com/exploits/39497/
[3] https://packetstormsecurity.com/files/135968
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/111155

Changelog

[26.02.2016] - Initial release
[29.02.2016] - Added reference [3]
[12.03.2016] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk