vTiger CRM 7.4.0 Cross Site Scripting

vTiger CRM 7.4.0 Cross Site Scripting
2024-8-29 22:37:48 Author: packetstormsecurity.com(查看原文) 阅读量:15 收藏
[CVE-ID]:CVE-2024-44778
------------------------------------------
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22[CVE-ID]:CVE-2024-44779
------------------------------------------
[Suggested description]
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]:
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:
Run Arbitrary JS code
------------------------------------------
[Attack Vectors]
Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd
[CVE-ID]:CVE-2024-44777
------------------------------------------
[Suggested description]
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]
The "tag" parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]
Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
文章来源: https://packetstormsecurity.com/files/180462/vtigercrm740-xss.txt
如有侵权请联系:admin#unsafe.sh