{"id":59230,"date":"2024-08-29T19:59:40","date_gmt":"2024-08-29T16:59:40","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180462\/vtigercrm740-xss.txt"},"modified":"2024-08-29T19:59:40","modified_gmt":"2024-08-29T16:59:40","slug":"vtiger-crm-7-4-0-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vtiger-crm-7-4-0-cross-site-scripting\/","title":{"rendered":"vTiger CRM 7.4.0 Cross Site Scripting"},"content":{"rendered":"
\n
vTiger CRM 7.4.0 Cross Site Scripting<\/strong><\/a><\/dt>\n
Posted Aug 29, 2024<\/a><\/dd>\n
Authored by Marco Nappi<\/a><\/dd>\n
\n

vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities.<\/p>\n<\/dd>\n

tags<\/span> | exploit<\/a>, vulnerability<\/a>, xss<\/a><\/dd>\n
advisories<\/span> | CVE-2024-44777<\/a>, CVE-2024-44778<\/a>, CVE-2024-44779<\/a><\/dd>\n
SHA-256<\/span> | d9025e02ef6a363801fc7c5e851c41ef9b220bc58ddf23135770c3a709cde894<\/code><\/dd>\n
Download<\/a> | Favorite<\/a> | View<\/a><\/dd>\n<\/dl>\n
\n
[CVE-ID]:CVE-2024-44778
------------------------------------------
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]PoC:
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http:\/\/vtiger.com
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22[CVE-ID]:CVE-2024-44779
------------------------------------------
[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]:
PoC:
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=
------------------------------------------
[Vulnerability Type]Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The \"viewname\" parameter of vTiger CRM 7.4.0 Index page .
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:
Run Arbitrary JS code
------------------------------------------
[Attack Vectors]Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http:\/\/vtiger.com
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Accounts&view=List&viewname=95ddd<\/p>[CVE-ID]:CVE-2024-44777
------------------------------------------
[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]PoC:
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]The \"tag\" parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]http:\/\/vtiger.com
https:\/\/demo7.vtexperts.com\/vtigercrm7demo\/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
<\/p><\/code><\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
vTiger CRM 7.4.0 Cross Site Scripting Posted Aug 29, 2024 Authored by Marco Nappi vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities. tags | exploit, vulnerability, xss advisories | CVE-2024-44777, CVE-2024-44778, CVE-2024-44779 SHA-256 | d9025e02ef6a363801fc7c5e851c41ef9b220bc58ddf23135770c3a709cde894 Download | Favorite | View [CVE-ID]:CVE-2024-44778——————————————[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59230","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59230"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59230\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}