OroCRM Cross Site Scripting

2014-09-11T00:00:00
ID PACKETSTORM:128216
Type packetstorm
Reporter Provensec
Modified 2014-09-11T00:00:00

Description

                                        
                                            `# Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!  
# Discovered by: Provensec  
# Website: http://www.provensec.com  
# Author: Provensec Labs  
# Type of vulnerability: XSS Stored  
# Description:  
  
1 Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payload as given in the screenshot  
http://prntscr.com/4lf043  
  
payload used "><img src=d onerror=confirm(/provensec/);>  
  
2 click save and close button  
  
http://prntscr.com/4lf0ej  
  
`