Title: Zurmo CRM 2.8.5 Multiple Reflected Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2015-5221
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.01.2015

Summary

Zurmo is an Open Source Customer Relationship Management (CRM) application that is mobile, social, and gamified.

Description

Zurmo CRM suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several GET parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

Zurmo Inc. - http://www.zurmo.org

Affected Version

2.8.5

Tested On

Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[02.01.2015] Vulnerabilities discovered.
[05.01.2015] Vendor contacted.
[05.01.2015] Vendor responds asking more details.
[06.01.2015] Sent details to the vendor.
[06.01.2015] Vendor states that they only provide support on the commercial versions.
[07.01.2015] Public security advisory released.

PoC

zurmo_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://packetstormsecurity.com/files/129842
[2] http://cxsecurity.com/issue/WLB-2015010033
[3] http://osvdb.org/show/osvdb/116804
[4] http://osvdb.org/show/osvdb/116805
[5] http://www.securityfocus.com/bid/71923
[6] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99926

Changelog

[07.01.2015] - Initial release
[12.01.2015] - Added reference [1], [2], [3], [4] and [5]
[13.03.2015] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk