vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities Vendor: vTiger Product web page: http://www.vtiger.com Affected version: 5.2.1 Summary: vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. Desc: vtiger CRM suffers from a XSS vulnerability when parsing user input to the '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache/2.0.52 (Win32) PHP/5.2.6 MySQL 5.0.51b-community-nt-log Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [28.07.2011] Vulnerabilities discovered. [28.07.2011] Initial contact with the vendor. [29.07.2011] Vendor replies asking more details. [29.07.2011] Sent details to vendor. [01.08.2011] Requested status update from vendor. [02.08.2011] Vendor investigates and confirms issues. [02.08.2011] Asked vendor for patch release date. [04.08.2011] No reply from vendor. [05.08.2011] Asked vendor to specify patch release date. [05.08.2011] Vendor plans to release the 5.3.0 RC by the end of the month. [21.08.2011] Asked vendor for specific patch release date. [22.08.2011] Vendor replies promising official release by mid September. [14.09.2011] Asked vendor for update. [14.09.2011] Vendor replies extending official release date. [26.10.2011] Coordinated public security advisory released. Advisory ID: ZSL-2011-5052 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5052.php Vendor: http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes GHDB: http://www.exploit-db.com/ghdb/3737/ 28.07.2011 --- Dork: intitle:"vtiger CRM 5 - Commercial Open Source CRM" http://localhost:8888/modules/mobile/index.php?_operation="> http://localhost:8888/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search=">