Tag
#Advisory
Posts from Bytium on this topic.
Leantime 3.8.0 Broken Access Control
Leantime is a popular open-source project-management app. Its front-end talks to a JSON-RPC API, and several of those API methods forgot to check *who* is calling them. We already covered how that lets any low-privilege user make themselves an administrator.
Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability
Stored XSS in Perfex CRM 3.2.1 Contracts Module
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
Stored XSS Vulnerabilities in CRMGo SaaS 7.2
Two stored cross-site scripting (XSS) vulnerabilities were identified in CRMGo SaaS version 7.2