Summary
An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack.
Details
The main problem is that after changing the password, the user is shown a link to the login page, which, if the attack is successful, will redirect the user to the domain or IP controlled by the attacker.
PoC
- Go to login page and click on "Forgot Password?".
- Enter "Username" and "Email" and submit this request (setting up BurpSuite to intercept this request).
- Go to "Proxy" tab in BurpSuite and intercept POST request to "/EspoCRM/api/v1/User/passwordChangeRequest" endpoint.
- Change "url" in intercepted request to any IP or domain.
- Once email received, click on password reset ling and change password after that click "Login" link on same page.
- Victim redirect to IP or domain that pointed in step 4.
Impact
An attacker could use site clone tools to clone site login page and use it to steal credentials.
Kerkroups Reporter
Summary
An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack.
Details
The main problem is that after changing the password, the user is shown a link to the login page, which, if the attack is successful, will redirect the user to the domain or IP controlled by the attacker.
PoC
Impact
An attacker could use site clone tools to clone site login page and use it to steal credentials.