Back to all zero days

Reflected XSS in ZOHO CRM Lead Magnet

Affected Vendor

Zoho

Status

Fixed

Date

14th Oct, 2019

High Severity

Description

A vulnerability was discovered on WordPress plugin ZOHO CRM Lead Magnet 1.6.9.1. An input variable vulnerable to XSS are ‘Module,’ ‘EditShortcode,’ and ‘LayoutName’ in the Zoho CRM form creation page. A vulnerability allows an attacker to inject malicious code into the WordPress plugin ZOHO CRM Lead magnet by providing XSS payload as a value for vulnerable variables.

Proof of concept: (POC)

Issue 1: By exploiting Cross-site scripting vulnerability, an attacker can quickly access the user’s session by stealing cookies and exploiting the user browser.

  1. Log in to the application.
  2. Install the Zoho CRM Lead Magnet Plugin.

Figure 01: Zoho CRM Lead Magnet.

  1. Configure the client ID and secret key.

Figure 02: Client key and secret id are filled in Authenticating Zoho CRM Plugin.

2. Click on the Create New Form button and fill the values and click on the Next button.

Figure 03: New form in Zoho CRM Plugin.

3. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

Figure 04: Request with XSS payload sent to the server.


Figure 05: Request and response captured in the proxy.

3. Injected XSS payload is successfully executed when the user visits or reloads the page.

Figure 06: The JavaScript is successfully executed in the victim browser context.

Figure 07: The WordPress application runs on version 5.2.3.

Figure 08: The WordPress Zoho CRM Lead Magnet Plugin Version: 1.6.9.1.

Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent Cross-Site Scripting attacks.

Impact

An attacker can inject malicious codes into a request and the server returns the script to the client in the response using a crafted URL to reflect cross-site scripting (XSS) in a lead magnet of WordPress plugin CRM lead magnet pages.

Remediations

Download the latest version and apply relevant patches advised as per vendor.

Timeline

Oct 13, 2019: Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.
Oct 14, 2019: Reported to WordPress plugin team.
Oct 15, 2019: WordPress plugin team acknowledged the report.
Oct 15, 2019: The issue acknowledged and fixed immediately.

Discovered by

Cyber Security Works Pvt. Ltd.


  • Affected VendorZoho
  • Bug NameReflected Cross-Site Scripting (XSS)
  • CVE NumberCVE-2019-19306
  • CWE IDCWE - 79
  • CSW ID2019-CSW-03-1026
  • CVSSv3 Score5.4
  • Affected Version1.6.9.1
  • SeverityHigh
  • Affected ProductLead Magnet
fb icon twitter icon insta icon

Talk to CSW’s team of experts to secure your landscape.