Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMarco NappiPACKETSTORM:180462
HistoryAug 29, 2024 - 12:00 a.m.

vTiger CRM 7.4.0 Cross Site Scripting

2024-08-2900:00:00
Marco Nappi
packetstormsecurity.com
67
vtiger crm 7.4.0
cross site scripting
remote
crafted url
run arbitrary javascript code
vendor confirmation
marco nappi
index page
attack type

AI Score

7.4

Confidence

Low

EPSS

0.002

Percentile

53.2%

JSON
`[CVE-ID]:CVE-2024-44778  
------------------------------------------  
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22  
------------------------------------------  
[Vulnerability Type]:Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]:Run Arbitrary Javascript code  
------------------------------------------  
[Attack Vectors]:Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22  
  
  
  
  
[CVE-ID]:CVE-2024-44779  
------------------------------------------  
[Suggested description]  
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]:  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=  
------------------------------------------  
[Vulnerability Type]  
Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]:  
Run Arbitrary JS code  
------------------------------------------  
[Attack Vectors]  
Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd  
  
  
  
[CVE-ID]:CVE-2024-44777  
------------------------------------------  
[Suggested description]  
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22  
------------------------------------------  
[Vulnerability Type]:Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]  
The "tag" parameter of vTiger CRM 7.4.0 Index page  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]  
Run Arbitrary Javascript code  
------------------------------------------  
[Attack Vectors]:Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22  
`

Related

zdt 1
cvelist 3
cve 3
vulnrichment 3
nvd 3
zdt
zdt
vTiger CRM 7.4.0 Cross Site Scripting / Open Redirection Vulnerabilities
2024-08-29 00:00:00
cvelist
cvelist
CVE-2024-44778
2024-08-29 00:00:00
CVE-2024-44779
2024-08-29 00:00:00
CVE-2024-44777
2024-08-29 00:00:00
cve
cve
CVE-2024-44778
2024-08-29 18:15:14
CVE-2024-44779
2024-08-29 18:15:14
CVE-2024-44777
2024-08-29 18:15:14
vulnrichment
vulnrichment
CVE-2024-44778
2024-08-29 00:00:00
CVE-2024-44777
2024-08-29 00:00:00
CVE-2024-44779
2024-08-29 00:00:00
nvd
nvd
CVE-2024-44778
2024-08-29 18:15:14
CVE-2024-44779
2024-08-29 18:15:14
CVE-2024-44777
2024-08-29 18:15:14

AI Score

7.4

Confidence

Low

EPSS

0.002

Percentile

53.2%

JSON
Related for PACKETSTORM:180462
zdt1cvelist3cve3vulnrichment3nvd3