# Security Issues on Eramba
Me and my coworkers Kelvin Clark and Lucas Carmo, security researchers, found some security issues on the IT Governance, Risk & Compliance application, Eramba
### Those Vulnerabilities were:
* **XSS Storaged**
* **XSS Reflected on the import CSV error page**
* **XSS Reflected on date filter**
* **XSS Reflected Search Parameter**
First i would like to explain a bit about Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
**For more reading about the issue,** [**https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)**](https://www.owasp.org/index.php/Cross-site_Scripting_\(XSS\))
On the Proofs of concept reported below i’ve put a script tag with the alert screen showing the Int 1, just to illustrate the issue. Normally a Attacker would put the variable document.cookie, for receiving the session cookie of the user!
Being said that, let’s start the report!
**1- XSS Storaged**
The first cross site script was on the tooltipbox on the [https://-address>/programScopes description parameter,](https://outlook.office.com/owa/?realm=stone.com.br\&exsvurl=1\&ll-cc=1046\&modurl=0\&path=/mail/search)
The payload used was: \<”img src=”” onerror=”alert(1);”\>
**2- XSS Reflected on the import CSV error page**
The Second Cross Site Script was on the [https://\/importTool/preview](https://outlook.office.com/owa/?realm=stone.com.br\&vd=email\&path=/mail/inbox), in the error page while importing a CSV with a HTML script tag inbued on the file.
The payload used was: \
**3- XSS Reflected on date filter**
the Third was found in the [https://\](https://outlook.office.com/owa/?realm=stone.com.br\&exsvurl=1\&ll-cc=1046\&modurl=0\&path=/mail/search)/crons?advanced\_filter=1\&created\_\_comp\_type=0\&created=%3Cscript%3Ealert(2)%3C%2Fscript%3E\&created\_\_show=1\&type\_\_show=1\&execution\_time\_\_comp\_type=0\&execution\_time\_\_show=1\&status\_\_show=1&\_limit=15
The payload used was \
**4- XSS Reflected Search Parameter**
The fourth was found in on the [http://\/reviews/filterIndex/ThirdPartyRiskReview? in the parameter advanced\_filter.
The payload used was \
CVEs Related to this Post:
CVE-2018–7996
CVE-2018–7997
CVE-2018–7894
CVE-2018–7741
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sketler.gitbook.io/android-and-ios-pentesting/security-issues-on-eramba.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.