[Vtigercrm-developers] [Security] possible XSS
Vincenzo Bruno
v.bruno at vinsoft.it
Wed Apr 14 08:52:10 GMT 2021
This is the exploit:
Manual steps to reproduce the vulnerability ...
1. Open the web-application ui
2. Login with a regular user role to the ui
3. Open vendors and move to compose to email form
4. Inject malicious payload as "to" sender information and as well a
valid email to target
5. Send the request after the compose
6. Wait until the administrator or higher privileged targeted users
click in the email or receives the email on preview
7. Successful reproduce of the cross site scripting web vulnerability!
We must check if it is still working in the latest version.
Vincenzo
Il giorno 14 Apr 2021, 10:38, alle ore 10:38, Sukhdev Mohan <s.mohan at myti.it> ha scritto:
>Hi All,
>
>I was surfing this security exploits web site and found this
>https://0day.today/exploit/description/35301
><https://0day.today/exploit/description/35301>
>Can anyone tell me if this has been fixed? There are others security
>exploits, this is the most recent.
>
>Best Regards,
>Sukhdev Mohan | Software Developer
>
>
>
>
>
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20210414/49e92956/attachment.html>
More information about the vtigercrm-developers
mailing list