[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Mutliple Vulnerabilities in ZurmoCRM 3.0.5

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Mutliple Vulnerabilities in ZurmoCRM 3.0.5
From: "NaxoneZ ." <naxonez@xxxxxxxxx>
Date: Mon, 30 Nov 2015 15:41:23 +0100

Hi,

I found this issues in ZurmoCRM. All issues are reported in their github.

1.- Html Injection


   - If you create a Product, list, etc. with this name:
<h1>injection</h1>[image:
   Imágenes integradas 1]
   - When you go to preview page (in this case products), you can see the
   injection: [image: Imágenes integradas 2]

2.- Information Disclosure
When you put %00 in moduleClassName you can see the full path of the
installation of ZurmoCRM: /index.php/designer/default/
modulesMenu?moduleClassName=%00

[image: Imágenes integradas 3]


3.- XSS
When you create a list in the "check list" field you can insert a XSS code:

index.php/tasks/default/list#
[image: Imágenes integradas 4]

All issues are reported:
https://github.com/zurmo/Zurmo/issues

You can test this issues in the demo page:
http://demo.zurmo.com/demos/stable/app/index.php/zurmo/default/login

Regards.

----
Sergio Galán aka @NaxoneZ

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Brocade Fabric OS v6.3.1b Multiple Vulnerabilities
Next by Date: [FD] [CFP] BSides San Francisco - February 2016
Previous by thread: [FD] Brocade Fabric OS v6.3.1b Multiple Vulnerabilities
Next by thread: [FD] [CFP] BSides San Francisco - February 2016
Index(es):
- Date
- Thread