Zurmo CRM Cross Site Scripting

2014-07-02T00:00:00
ID PACKETSTORM:127333
Type packetstorm
Reporter Provensec
Modified 2014-07-02T00:00:00

Description

                                        
                                            `# Affected software: Zurmo CRM  
# Zurmo is an Open Source Customer Relationship Management (CRM) application that is  
# mobile, social, and gamified. We use a test-driven methodology for building every part of the   
# application.  
# Type of vulnerability: XSS Stored  
# URL: zurmo.com  
#  
# Discovered by: Provensec  
# Website: http://www.provensec.com  
  
# Description: ZumoCRM is prone to a Persistent Cross Site Scripting attack  
that allows a malicious user to inject HTML or scripts that can access any  
cookies, session tokens, or other  
sensitive information retained by your browser and used with that site.  
# Proof of concept  
# 1. Create a report as a Normal user  
# 2. Select module: Accounts  
# 3. Select filter: Name  
# 4. Select column Employees and as a value use: "><script>alert('XSS by  
Provensec')</script>  
# 5. Save the report and share it with other users to distribute your  
malicious code.  
  
Screenshot attached  
  
JSacco  
CTO - Provensec.com  
  
"Think as a hacker, be professional"  
URL: http://provensec.com  
Mobile: +31 6 8209 2565  
  
`