CSW discovers a new zero day in ZOHO CRM Lead Magnet!

CSW Discovers Stored Cross-Site Scripting (XSS) Zero-Day Vulnerability in WordPress Plugin

Posted on 6th Oct, 2021 | By Surojoy Gupta

A Cross-Site Scripting (XSS) attack is of major concern to the cybersecurity world, especially web applications because it can allow attackers to gain control of user’s accounts and steal their personally identifiable information, other than login credentials. CSW researchers found one such medium severity vulnerability recently in Zoho CRM Lead Magnet.


Description


CSW researchers have discovered a Cross-Site Scripting (XSS) vulnerability in Zoho CRM Lead Magnet Version 1.7.2.4. 

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. 

The discovered vulnerability targets the application's users and not the application itself, and uses the user’s application as the attack vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.

 

Vulnerability at a Glance
 

 CVE Number  CVE-2021-33849
 Product Name  Zoho CRM Lead Magnet Plugin
 Affected Version   Version 1.7.2.4
 Severity  Medium
 Vendor  WordPress 5.8
 CWE ID  CWE-79: Improper Neutralization of Input During Web Page Generation
 CVSS Vector  6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L)
CSW ID  2021-CSW-08-1050

 

Proof of Concept


The following vulnerability was detected in Zoho CRM Lead Magnet Version 1.7.2.4. 

Issue: Stored Cross-Site Scripting

Severity: Medium


Steps to reproduce:

1. Log in to the WordPress application.

Note: A virtual host (wptest.com) was used to test the application locally.


2. Install the Zoho CRM Lead Magnet Plugin.

 Figure 01: Zoho CRM Lead Magnet Version 1.7.2.4


3. Configure the Client ID and Secret Key.


4. Click the ‘Create New Form’ button, fill in the values, and then click the ‘Next’ button.

 Figure 02: New form in Zoho CRM Plugin


5. Encode the payload <img src=x onerror=alert(document.cookie)> with a hexadecimal HTML encoder.

Figure 03: Encoding the Payload


6. Enter the encoded payload in the ‘Form Name’ field (formvalue parameter) to update the form. Then, click the arrow button near the ‘Create a New Form’ heading to go back to the previous page.

 Figure 04: Entering Encoded XSS Payload in the ‘form Name’ Field


7. Click on the pencil icon to edit the created form. 

Figure 05: Click on the  Pencil Icon to Edit the Form


8. Change any form value, such as  ‘Company’ or the ‘Last Name’. 

Figure 06: Modifying Form Fields

Figure 07: Injected XSS Payload Executed Displaying An Alert Box With Contents of the User’s Cookies


9. The XSS payload is also executed when the user tries to delete the form. 

Figure 08: XSS Payload Executed When the User Tries To Delete the Form 


Impact


With cross-site scripting, an attacker can control a script executed in the victim's browser and then fully compromise that user. An XSS vulnerability enables attacks that are self-contained within the application. This means that an attacker does not need to find an external means of inducing the victim to make a request containing their exploit. Rather, the attacker can insert the exploit into the application and simply wait for users to encounter it.

A cross-site scripting attack results in the following:

  • Cookie theft
  • Disclosure of end-user files
  • Installation of Trojan horse programs
  • Redirection of the user to some other page or site

 

Recommendations


To fix this vulnerability, follow these steps:

  • Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

  • Implement input validation for special characters on all variables reflected on the browser and stored in the database.

  • Implement client-side validation.

Figure 09: Default Cross-Site Scripting Mitigation Setting in the wp.config File Prevents Cross-site Scripting Attacks 

 

Timeline

  • August 26, 2021: Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

  • September 1, 2021: Reported to WordPress Team

  • September 2, 2021: Vendor Acknowledged

  • September 2, 2021: The vendor blocked the plugin

  • September 6, 2021: Zoho fixed the issue 

  • September 7, 2021: Vendor reopened the plugin for download

  • September 7, 2021: CVE-2021-33849 is assigned by Cyber Security Works

 CSW Zoho Zero-day timeline of events

 

Discovered by

Cyber Security Works Pvt. Ltd., Chennai

 

Advisory

Security Advisory Published by WordPress

 

 

 

Test your defense to know how secure you are…