Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in Contact firsname and last name #161

Closed
Fadavvi opened this issue Nov 6, 2018 · 1 comment
Closed

Stored XSS in Contact firsname and last name #161

Fadavvi opened this issue Nov 6, 2018 · 1 comment
Assignees

Comments

@Fadavvi
Copy link

Fadavvi commented Nov 6, 2018

Hi,

Description :

Create a contact with

first name: test"><img src=x onerror=prompt('@darknetguy');>

and
last name : test2"><img src=x onerror=prompt('@darknetguy');>

( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)

Sample Pic:
2018-11-06_14-33-13

Payload to use : "><img src=x onerror=prompt('@darknetguy');>

Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium

BR,

Milad Fadavvi

@Fadavvi Fadavvi changed the title XSS Stored in Contact firsname and last name Stored XSS in Contact firsname and last name Nov 6, 2018
@pczupil
Copy link
Contributor

pczupil commented Oct 21, 2019

We will have this XSS fixed in our next release. Thank you for the info! I will keep this issue open until confirmation that the vector has been removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants