search

krayin / laravel-crm

Free & Opensource Laravel CRM solution for SMEs and Enterprises for complete customer lifecycle management.
https://krayincrm.com
Open Software License 3.0
11.09k stars 742 forks source link

XSS vulnerability at Note function. #1701

Open KevinKien opened 6 days ago

KevinKien commented 6 days ago

When i click to note function and commend with payload "2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>"

download (2)

After save note will pop up such as image bellow.

download (3)

Any one when access to url https://demo.krayincrm.com/krayin-42-112-15-238/admin/leads/view/24, pop up will show cho this user.

Recommended: You should validate input for note, don't allow insert special characters or html encode special characters.

suraj-webkul commented 5 days ago

Hello, @KevinKien,

Thank you for addressing this issue. We appreciate the fix provided in PR #1675 and your prompt response.