imge
Get Started!

Securin Zero-Days

CVE-2019-19306 – Reflected Cross-Site Scripting in ZOHO CRM Lead Magnet

Severity:High

Vendor

Zoho

Affected Product

Lead Magnet

CVE

CVE-2019-19306

Securin ID

2019-CSW-03-1026

Status

Fixed

Date

October 14, 2019

Description

A vulnerability was discovered on WordPress plugin ZOHO CRM Lead Magnet 1.6.9.1. An input variable vulnerable to XSS are ‘Module,’ ‘EditShortcode,’ and ‘LayoutName’ in the Zoho CRM form creation page. A vulnerability allows an attacker to inject malicious code into the WordPress plugin ZOHO CRM Lead magnet by providing XSS payload as a value for vulnerable variables.

Proof of Concept (POC):

Issue 1: By exploiting Cross-site scripting vulnerability, an attacker can quickly access the user’s session by stealing cookies and exploiting the user browser.

  1. Log in to the application.
  2. Install the Zoho CRM Lead Magnet Plugin.

Figure 01: Zoho CRM Lead Magnet.

  1. Configure the client ID and secret key.

Figure 02: Client key and secret id are filled in Authenticating Zoho CRM Plugin.

2. Click on the Create New Form button and fill the values and click on the Next button.

Figure 03: New form in Zoho CRM Plugin.

3. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

Figure 04: Request with XSS payload sent to the server.

Figure 05: Request and response captured in the proxy.

3. Injected XSS payload is successfully executed when the user visits or reloads the page.

Figure 06: The JavaScript is successfully executed in the victim browser context.

Figure 07: The WordPress application runs on version 5.2.3.

Figure 08: The WordPress Zoho CRM Lead Magnet Plugin Version: 1.6.9.1.

Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent Cross-Site Scripting attacks.

Impact

An attacker can inject malicious codes into a request and the server returns the script to the client in the response using a crafted URL to reflect cross-site scripting (XSS) in a lead magnet of WordPress plugin CRM lead magnet pages.

Remediations

Download the latest version and apply relevant patches advised as per vendor.

Timeline

Oct 13, 2019: Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.
Oct 14, 2019: Reported to WordPress plugin team.
Oct 15, 2019: WordPress plugin team acknowledged the report.
Oct 15, 2019: The issue acknowledged and fixed immediately.

Let Securin level up your security posture!

START NOW