Bài liên quan
# Affected software: Zurmo CRM# Zurmo is an Open Source Customer Relationship Management (CRM)application that is# mobile, social, and gamified. We use a test-driven methodology forbuilding every part of the # application.# Type of vulnerability: XSS Stored# URL: zurmo.com## Discovered by: Provensec# Website: http://www.provensec.com# Description: ZumoCRM is prone to a Persistent Cross Site Scripting attackthat allows a malicious user to inject HTML or scripts that can access anycookies, session tokens, or othersensitive information retained by your browser and used with that site.# Proof of concept# 1. Create a report as a Normal user# 2. Select module: Accounts# 3. Select filter: Name# 4. Select column Employees and as a value use: "><script>alert('XSS byProvensec')</script># 5. Save the report and share it with other users to distribute yourmalicious code.Screenshot attachedJSaccoCTO - Provensec.com"Think as a hacker, be professional"URL: http://provensec.comMobile: +31 6 8209 2565
Post a Comment