vTiger CRM 7.4.0 Cross Site Scripting

vTiger CRM 7.4.0 Cross Site Scripting
Posted Aug 29, 2024
Authored by Marco Nappi

vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2024-44777, CVE-2024-44778, CVE-2024-44779
SHA-256 | d9025e02ef6a363801fc7c5e851c41ef9b220bc58ddf23135770c3a709cde894
Download | Favorite | View
[CVE-ID]:CVE-2024-44778
------------------------------------------
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22[CVE-ID]:CVE-2024-44779
------------------------------------------
[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]:
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=
------------------------------------------
[Vulnerability Type]Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:
Run Arbitrary JS code
------------------------------------------
[Attack Vectors]Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd
[CVE-ID]:CVE-2024-44777
------------------------------------------
[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]The "tag" parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22

آسیب‌پذیری‌های جدید و وصله‌های امنیتی به‌صورت مداوم منتشر می‌شوند و عدم بروزرسانی به‌موقع می‌تواند امنیت سرویس‌های حیاتی را به خطر بیندازد. خدمات مدیریت و پشتیبانی سرور آفاق هاستینگ شامل پایش امنیتی، بروزرسانی نرم‌افزارها، نصب Patchهای امنیتی و سخت‌سازی سرورها است.

خدمات مدیریت و امنیت سرور

نوشته های مشابه

CVE-2026-12175 – CodeAstro Student Attendance Management System createStudents.php sql injection

CVE-2026-12176 – SourceCodester CET Automated Grading System with AI Predictive Analytics index.php cross site scripting

CVE-2026-12174 – D-Link DCS-935L HTTP rhea snprintf format string

CVE-2026-12183 – Nefteprodukttekhnika BUK TS-G Improper Authentication