Full Disclosure mailing list archives
Mutliple Vulnerabilities in ZurmoCRM 3.0.5
From: "NaxoneZ ." <naxonez () gmail com>
Date: Mon, 30 Nov 2015 15:41:23 +0100
Hi, I found this issues in ZurmoCRM. All issues are reported in their github. 1.- Html Injection - If you create a Product, list, etc. with this name: <h1>injection</h1>[image: Imágenes integradas 1] - When you go to preview page (in this case products), you can see the injection: [image: Imágenes integradas 2] 2.- Information Disclosure When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM: /index.php/designer/default/ modulesMenu?moduleClassName=%00 [image: Imágenes integradas 3] 3.- XSS When you create a list in the "check list" field you can insert a XSS code: index.php/tasks/default/list# [image: Imágenes integradas 4] All issues are reported: https://github.com/zurmo/Zurmo/issues You can test this issues in the demo page: http://demo.zurmo.com/demos/stable/app/index.php/zurmo/default/login Regards. ---- Sergio Galán aka @NaxoneZ
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Mutliple Vulnerabilities in ZurmoCRM 3.0.5 NaxoneZ . (Nov 30)