Stored XSS found in Small CRM (phpgurukul)

# Exploit Title: Small CRM — Stored Cross-Site Scripting Vulnerability.
# Date: 12-Nov-2022
# Exploit Author: Venkata Siva Kumar Medituru
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Tested on: Windows 10
# Contact: https://www.linkedin.com/in/shivakumar-m-v/

Stored XSS Vulnerability : Cross-site scripting attacks, also called XSS attacks, are a type of injection attack that injects malicious code into specific input fields. If the inputs fields are not validating or not sanitizing the user input then attacker can run malicious script that runs at server side.

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

Attack vector:
This vulnerability can results attacker injecting the XSS payload in the Subject input Field in “Create Ticket” page and each time user visits the “View Ticket” page, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

Vulnerable Parameter: Subject.

The Reproducive Steps are given in Video PoC.

Impact:

XSS may results to Cookie Stealing, Session Hijacking, Redirection, Account Takeovers and many malicious activities will be performed by perpetrators.

Mitigations:

01) Implement Web Application Firewall

02) Configure Security Headers that will validate user input and allow the request.

03) Encode user input wherever possible.