Zurmo CRM 2.8.5 Multiple Reflected Cross-Site Scripting Vulnerabilities
Title: Zurmo CRM 2.8.5 Multiple Reflected Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2015-5221
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.01.2015
PHP 5.6.3
MySQL 5.6.21
[05.01.2015] Vendor contacted.
[05.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor states that they only provide support on the commercial versions.
[07.01.2015] Public security advisory released.
[2] http://cxsecurity.com/issue/WLB-2015010033
[3] http://osvdb.org/show/osvdb/116804
[4] http://osvdb.org/show/osvdb/116805
[5] http://www.securityfocus.com/bid/71923
[6] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99926
[12.01.2015] - Added reference [1], [2], [3], [4] and [5]
[13.03.2015] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5221
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.01.2015
Summary
Zurmo is an Open Source Customer Relationship Management (CRM) application that is mobile, social, and gamified.Description
Zurmo CRM suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several GET parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Zurmo Inc. - http://www.zurmo.orgAffected Version
2.8.5Tested On
Apache 2.4.10 (Win32)PHP 5.6.3
MySQL 5.6.21
Vendor Status
[02.01.2015] Vulnerabilities discovered.[05.01.2015] Vendor contacted.
[05.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor states that they only provide support on the commercial versions.
[07.01.2015] Public security advisory released.
PoC
zurmo_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.com/files/129842[2] http://cxsecurity.com/issue/WLB-2015010033
[3] http://osvdb.org/show/osvdb/116804
[4] http://osvdb.org/show/osvdb/116805
[5] http://www.securityfocus.com/bid/71923
[6] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99926
Changelog
[07.01.2015] - Initial release[12.01.2015] - Added reference [1], [2], [3], [4] and [5]
[13.03.2015] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk