Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Mutliple Vulnerabilities in ZurmoCRM 3.0.5

From: "NaxoneZ ." <naxonez () gmail com>
Date: Mon, 30 Nov 2015 15:41:23 +0100
Hi,

I found this issues in ZurmoCRM. All issues are reported in their github.

1.- Html Injection


   - If you create a Product, list, etc. with this name:
<h1>injection</h1>[image:
   Imágenes integradas 1]
   - When you go to preview page (in this case products), you can see the
   injection: [image: Imágenes integradas 2]

2.- Information Disclosure
When you put %00 in moduleClassName you can see the full path of the
installation of ZurmoCRM: /index.php/designer/default/
modulesMenu?moduleClassName=%00

[image: Imágenes integradas 3]


3.- XSS
When you create a list in the "check list" field you can insert a XSS code:

index.php/tasks/default/list#
[image: Imágenes integradas 4]

All issues are reported:
https://github.com/zurmo/Zurmo/issues

You can test this issues in the demo page:
http://demo.zurmo.com/demos/stable/app/index.php/zurmo/default/login

Regards.

----
Sergio Galán aka @NaxoneZ



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: