Bytium®
Security-first
Back to Insights
Bytium • Insight

Stored XSS Vulnerabilities in CRMGo SaaS 7.2

Two stored cross-site scripting (XSS) vulnerabilities were identified in CRMGo SaaS version 7.2

By Bytium Operators2 min read
advisorysecurityvulnerabilities

Two stored cross-site scripting (XSS) vulnerabilities were identified in CRMGo SaaS version 7.2. An authenticated user with low privileges can inject malicious JavaScript that is stored by the application and executed whenever the affected content is viewed by other users, including administrators.

Because the payloads are stored server-side, the attack persists across sessions and affects any user who accesses the vulnerable pages.

Affected Version

  • CRMGo SaaS 7.2

Vulnerability Details

Stored XSS – Deal Notes

The first vulnerability exists in the Deal module, where user input is not properly sanitized before being stored and rendered.

  • Endpoint: /deal/{id}/note
  • Vulnerable parameter: notes

Steps to Reproduce

  1. Navigate to any deal in the Deal module.

  2. Add a note containing the following payload:

    <script>alert("stored")</script>

  3. Save the note and view it again.

Result:
The injected JavaScript executes whenever the note is rendered.

Stored XSS – Project Task Comments

A second stored XSS vulnerability was identified in the Project task comment functionality.

Endpoint: /project/task/{task_id}/show
Vulnerable parameter: comment

Steps to Reproduce

  1. Open any task in the Projects module.

  2. Add a comment containing the following payload:

    <script>alert(5)</script>

  3. View the comment.

Result:
The JavaScript payload executes each time the comment is displayed.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to:

  • Execute arbitrary JavaScript in the context of authenticated users
  • Impersonate users or administrators
  • Steal sensitive information
  • Perform phishing or social engineering attacks
  • Deploy additional malicious client-side payloads

Due to the stored nature of the vulnerabilities, exploitation persists until the malicious input is removed.

Recommendation

Users should apply security updates or patches provided by the vendor as soon as they become available.
All user-controlled input should be properly validated and output-encoded before being stored or rendered.

The vendor has been informed of these issues.

Disclosure Timeline

  • September 18, 2024 – Vulnerabilities identified
  • September 21, 2024 – Advisory published