XSS vulnerability at create tag function.

krayin / laravel-crm

Free & Opensource Laravel CRM solution for SMEs and Enterprises for complete customer lifecycle management.

https://krayincrm.com

Open Software License 3.0

11.12k stars 751 forks source link

XSS vulnerability at create tag function. #1700

Open KevinKien opened 1 week ago

KevinKien commented 1 week ago

XSS vulnerability at the "Lead" function. When i create a tag with payload "2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>" example like image bellow:

download

After i click create new tag, pop up will show such as image bellow.

download (1)

Any one when access to url https://demo.krayincrm.com/krayin-42-112-15-238/admin/leads/view/8, pop up will show cho this user.

Recommended: You should validate input for tag, don't allow insert special characters or html encode special characters.

suraj-webkul commented 1 week ago

Hello, @KevinKien,

Thank you for addressing this issue. We appreciate the fix provided in PR #1675 and your prompt response.