HTML INJECTION (zurmo-stable-3.2.4.01254e9117e1)

Issue #449 new
Provensec Security created an issue

Affected software: Zurmo CRM (zurmo-stable-3.2.4.01254e9117e1

Type of vulnerability: HTML INJECTION

Vulnerable URL: http://zurmo.org/

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Proof of concept:

Step1: Login into the zurmo crm using the admin role.

Step2: In the report section, create a report using the malicious HTML code i.e. <h1>HTMLINJECTIONEXECUTED</h1>

Step3: Here the name parameter is vulnerable to HTML INJECTION. (Screenshot attached)

Step4: Then the HTML injection got executed successfully. (Screenshot attached)

VulnerableURL: http://localhost/zurmo/zurmo/app/index.php/reports/default/details?id=1

Comments (2)

  1. Log in to comment