← Advisories

Zurmo CRM 2.8.5 Multiple Reflected Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2015-5221
Release Date
07 January 2015
Vendor
Zurmo Inc. - http://www.zurmo.org
Affected Version
2.8.5
CVE
N/A
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

Zurmo is an Open Source Customer Relationship Management (CRM) application that is mobile, social, and gamified.

Description

Zurmo CRM suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several GET parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
zurmo_xss.txtTXT
Disclosure Timeline
02.01.2015Vulnerabilities discovered.
05.01.2015Vendor contacted.
05.01.2015Vendor responds asking more details.
06.01.2015Sent details to the vendor.
06.01.2015Vendor states that they only provide support on the commercial versions.
07.01.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/129842
[2]http://cxsecurity.com/issue/WLB-2015010033
[3]http://osvdb.org/show/osvdb/116804
[4]http://osvdb.org/show/osvdb/116805
[5]http://www.securityfocus.com/bid/71923
[6]https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99926
Changelog
07.01.2015Initial release
12.01.2015Added reference [1], [2], [3], [4] and [5]
13.03.2015Added reference [6]