Vulnerability Details
Affected Version: CRMGo 7.2
Severity: High
Two stored XSS(Cross-site Scripting) vulnerabilities were identified for CRMGO SaaS version 7.2, which allows an authenticated(low privileged) attacker to inject and store malicious javascript that will be executed if any other users, including the administrator, view the vulnerable pages.
Step To reproduce
XSS 1
Endpoint: /deal/{id}/note
Parameter: notes
- View Deal Module
- Add a Note with the below payload:
<script>alert("stored")</script> - Save and view the note again
XSS 2
Endpoint: /project/task/{task_id}/show
Vulnerable Parameter: comment
Step to Reproduce
- View any task in the Projects module.
- Add a comment using the payload:
<script>alert(5)</script> - The script is executed whenever the comment is viewed.
Impact
- Phishing and Malware Deployment
- User impersonation
- Data Theft and other malicious activities
Recommendation
Users should avoid interacting with untrusted input fields and monitor for updates or patches addressing these vulnerabilities. The vendor has been informed of the issue.
