[Vtigercrm-developers] Security
Prasad
prasad at vtiger.com
Tue Sep 30 04:03:48 GMT 2014
Błażej,
There are few areas where XSS has been noted and we are working to fix
them.
Evaluating XSS like in CMS is not appropriate is my personal opinion.
Please let us know if unauthenticated user / non-CRM user can make such
injections.
3. You can change any records from pricebook module
Please clarify.
4. You can put any html in notepad (e.g. external image)
Is this done without user authentication.
5. and many others
You can send us the list.
We will continue to weed them out. Thank you for letting us know again.
Regards,
Prasad
*Connect with us on: *Twitter <http://twitter.com/vtigercrm> *I* Facebook
<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall> *I* Blog
<https://blogs.vtiger.com/>* I* Wiki
<http://wiki.vtiger.com/index.php/Main_Page> *I *Forums
<https://discussions.vtiger.com>*I* Website <https://www.vtiger.com/>
On Mon, Sep 29, 2014 at 10:29 PM, Pabiszczak, Błażej <
b.pabiszczak at opensaas.pl> wrote:
>
> 1. XSS in Cloud Tag (e.g.: a<script>alert(123)</script>b a)
> 2. Ignor limit the number of characters:
> c<script>alert(document.cookie)</script>d
> - You can view sessionid,
> - you can put img from external address
> - etc.
> 3. You can change any records from pricebook module.
> 4. You can put any html in notepad (e.g. external image)
> 5. and many others
>
> do you test systems? Do you use tools like Accunetix?
>
> Z poważaniem / Regards
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at opensaas.pl
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140930/a0d6a081/attachment.html>
More information about the vtigercrm-developers
mailing list