来源

关联漏洞

描述

A security vulnerability has been identified in Krayin CRM <=2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file.

介绍

# CVE-2025-3568
# Privilege Escalation via Malicious SVG File

## Summary

A security vulnerability has been identified in **Krayin CRM 2.1.0** that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages **Cross-Site Request Forgery (CSRF)** and **Cross-Site Scripting (XSS)** via SVG to:

- Steal the admin’s **XSRF token** from cookies.
- Change the admin’s password without knowing the current password via an **unprotected API endpoint**.

This could lead to **full admin account takeover** and **data breaches**.

---

## Technical Details

### Vulnerability Type
- **CSRF + XSS via SVG File Upload** (Stored Client-Side Attack)
- **Broken Access Control** (Password Change Without Current Password)

### Affected Component
- **User Management Module** (`/admin/settings/users/edit/[ID]`)
- **File Upload/Email Attachment Handling** (SVG with embedded JavaScript)

### Attack Flow
1. **Attacker (low-privilege user)** sends an email with a **malicious SVG attachment** to an admin.
2. **Admin opens the SVG file** in a new tab.
3. **JavaScript inside the SVG executes**, harvesting the admin's `XSRF-TOKEN` cookie.
4. A **forged POST request** is sent to the CRM’s user management endpoint, changing the admin’s password.
5. **Attacker gains full admin access** using the new password.

---

## Proof of Concept (PoC)

- **Screen recording of the exploit in action:**  



https://github.com/user-attachments/assets/36f5f5ec-d7f1-4ea8-aa78-f1be396e13d3


- **Malicious SVG file:** svgxss.svg  

---

## Impact
- **Full Admin Account Takeover:** Attacker can reset the admin password and log in.
- **Data Breach:** Access to sensitive CRM data (customer info, transactions, etc.).
- **Persistence:** Attacker can create **backdoor accounts** or modify system settings.

---

## Root Cause Analysis

### Missing SVG Sanitization
- The CRM allows **SVG files with embedded JavaScript**, enabling XSS.

### Broken Password Change Logic
- The `/admin/settings/users/edit` endpoint **does not enforce current password verification**.

---

## Conclusion
This vulnerability poses a **critical risk** to the CRM’s security, allowing attackers to **hijack admin accounts** with minimal effort. Immediate action is required to **patch the issue** and **prevent exploitation**.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2025-3568
- https://vuldb.com/?id.304609

文件快照

 [4.0K]  /data/pocs/db380be0f1d28231e49805822795786bd42113e8
├── [2.4K]  README.md
└── [2.0K]  svgxss.svg

0 directories, 2 files

备注