Insights
Security insights from Bytium operators
Brief updates from Bytium operators on the tactics we see, how we respond, and what your teams can ship today to stay ahead.
Leantime 3.8.0 Broken Access Control
Leantime is a popular open-source project-management app. Its front-end talks to a JSON-RPC API, and several of those API methods forgot to check *who* is calling them. We already covered how that lets any low-privilege user make themselves an administrator.
Leantime 3.8.0 Privilege Escalation Vulnerability
A broken access control flaw (CWE-862) in Leantime ≤3.8.0 lets any authenticated low-privilege user escalate to Owner via the JSON-RPC API. PoC, impact, and fix.
Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
Krayin CRM 2.2.0 - Authenticated Blind SQL Injection in Leads DataGrid
Krayin CRM 2.2.0 contains an authenticated blind time-based SQL injection in the Leads DataGrid. The `rotten_lead[in]` request parameter is concatenated directly into a `havingRaw()` expression without parameter binding, exposing the database to byte-by-byte extraction by any authenticated staff user
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Blind SQL Injection in Perfex CRM 3.4.1
Perfex CRM 3.4.1 pastes the `sort_by` request parameter directly into an ORDER BY clause with CodeIgniter's identifier escaping disabled. Any staff account — admin flag not required, zero role permissions is enough — can exploit this blind time-based SQL injection to read the entire application database, including the bcrypt-wrapped phpass hashes in `tblstaff.password`.
Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability
Introducing Bytium Active: Digital Presence Health for Your Business
Bytium Active is a continuous monitoring product that watches the state of your business online — what's exposed, what's expiring, what looks broken, and what you'll need when a customer or insurer asks. Here's why we built it, what it does today, and what's coming next.
Security Isn't a Task. It's a System
Most organizations don’t fail at security because they don’t care. They fail because security is treated as something you do, not something you run.
Stored XSS in Perfex CRM 3.2.1 Contracts Module
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.