vendor:
Small CRM
by:
Ghuliev
8.8
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: Small CRM
Affected Version From: 3
Affected Version To: 3
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:small_crm:3.0
Platforms Tested: Server: Ubuntu
2021
Small CRM 3.0 – ‘description’ Stored Cross-Site Scripting (XSS)
When a user or admin creates a ticket, an attacker can inject javascript code into the ticket by sending a POST request to the create-ticket.php page with a malicious script in the description parameter.
Mitigation:
Input validation should be used to prevent malicious scripts from being injected into the ticket.