CVE-2021-29267 PoC — sherlock SherlockIM 跨站脚本漏洞

Source

https://github.com/Security-AVS/CVE-2021-29267

Associated Vulnerability

Title:sherlock SherlockIM 跨站脚本漏洞 (CVE-2021-29267)
Description:Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.

Description

SherlockIM ChatBot XSS

Readme

# CVE-2021-29267
SherlockIM ChatBot XSS

[Suggested description]: SherlockIM is vulnerable to Persistent XSS.

[Additional Information]: SherlockIM - Platform for manage all kind of conversations with customers.

[Vulnerability Type]: Cross Site Scripting (XSS)

[Vendor of Product]: https://sherlockim.ae

A letter was sent to the vendor about the vulnerability.

[Attack Type]: Remote

[Attack Vectors]: Attacker uploads malicious HTML file via chat bot. Malicious file is loaded in customer subdomain (every customer has unique subdomain in the sherlockcrm domain). Malicious code in uploaded file successfully executed in "customer.sherlockcrm.ru". Link to uploaded file leaks via chat bot and has the following format: https://customer.sherlockcrm.ru/api/Files/Attachment/unique_ID.html. Link is valid until manual delete. Attacker can attack help desk employees. 

[Discovered]: Alexander Semenenko

[Reference]: https://sherlockim.ae

[Proof of Concept]:

![alt text](https://github.com/Security-AVS/CVE-2021-29267/blob/main/Successful%20execution%20of%20code.png)

File Snapshot


 [4.0K]  /data/pocs/00f83eff038d95beff3eb6f36882fd942d3220bf
├── [1.0K]  README.md
└── [ 79K]  Successful execution of code.png

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!