Need an urgent support?

Call: +1 307 392 4577

Stored XSS Vulnerabilities in CRMGo SaaS Version 7.2

Vulnerability Details

Affected Version: CRMGo 7.2
Severity: High

Two stored XSS(Cross-site Scripting) vulnerabilities were identified for CRMGO SaaS version 7.2, which allows an authenticated(low privileged) attacker to inject and store malicious javascript that will be executed if any other users, including the administrator, view the vulnerable pages.

Step To reproduce

XSS 1

Endpoint: /deal/{id}/note
Parameter: notes

  1. View Deal Module
  2. Add a Note with the below payload:
    <script>alert("stored")</script>
  3. Save and view the note again

XSS 2

Endpoint: /project/task/{task_id}/show
Vulnerable Parameter: comment

Step to Reproduce

  1. View any task in the Projects module.
  2. Add a comment using the payload:
    <script>alert(5)</script>
  3. The script is executed whenever the comment is viewed.

Impact

  • Phishing and Malware Deployment
  • User impersonation
  • Data Theft and other malicious activities

Recommendation

Users should avoid interacting with untrusted input fields and monitor for updates or patches addressing these vulnerabilities. The vendor has been informed of the issue.

Written by

Bytium Team

Bytium is a global information technology company aim to empower business with hassle-free various IT services including general IT support to advanced cybersecurity services for affordable price.