Stored XSS in Contact firsname and last name

X2Engine / X2CRM

X2CRM Open Source CRM - PHP

http://www.x2crm.com

343 stars 167 forks source link

Stored XSS in Contact firsname and last name #161

Closed Fadavvi closed 1 year ago

Fadavvi commented 5 years ago

Hi,

Description :

Create a contact with

first name: test"><img src=x onerror=prompt('@darknetguy');>

and last name : test2"><img src=x onerror=prompt('@darknetguy');>

( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)

Sample Pic: 2018-11-06_14-33-13

Payload to use : "><img src=x onerror=prompt('@darknetguy');>

Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium

BR,

Milad Fadavvi

pczupil commented 5 years ago

We will have this XSS fixed in our next release. Thank you for the info! I will keep this issue open until confirmation that the vector has been removed.