Headline
vTiger CRM 7.4.0 Cross Site Scripting
vTiger CRM version 7.4.0 suffers from multiple reflective cross site scripting vulnerabilities.
[CVE-ID]:CVE-2024-44778------------------------------------------[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.------------------------------------------[Additional Information]PoC:https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22------------------------------------------[Vulnerability Type]:Cross Site Scripting (XSS)------------------------------------------[Vendor of Product]:vTiger------------------------------------------[Affected Product Code Base]:vTiger CRM - 7.4.0.------------------------------------------[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page------------------------------------------[Attack Type]:Remote------------------------------------------[CVE Impact Other]:Run Arbitrary Javascript code------------------------------------------[Attack Vectors]:Crafted URL------------------------------------------[Has vendor confirmed or acknowledged the vulnerability?]:true------------------------------------------[Discoverer]:Marco Nappi------------------------------------------[Reference]http://vtiger.comhttps://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22[CVE-ID]:CVE-2024-44779------------------------------------------[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.------------------------------------------[Additional Information]:PoC:https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=------------------------------------------[Vulnerability Type]Cross Site Scripting (XSS)------------------------------------------[Vendor of Product]:vTiger------------------------------------------[Affected Product Code Base]:vTiger CRM - 7.4.0.------------------------------------------[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .------------------------------------------[Attack Type]:Remote------------------------------------------[CVE Impact Other]:Run Arbitrary JS code------------------------------------------[Attack Vectors]Crafted URL------------------------------------------[Has vendor confirmed or acknowledged the vulnerability?]:true------------------------------------------[Discoverer]:Marco Nappi------------------------------------------[Reference]http://vtiger.comhttps://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd[CVE-ID]:CVE-2024-44777------------------------------------------[Suggested description]A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.------------------------------------------[Additional Information]PoC:https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22------------------------------------------[Vulnerability Type]:Cross Site Scripting (XSS)------------------------------------------[Vendor of Product]:vTiger------------------------------------------[Affected Product Code Base]:vTiger CRM - 7.4.0.------------------------------------------[Affected Component]The "tag" parameter of vTiger CRM 7.4.0 Index page------------------------------------------[Attack Type]:Remote------------------------------------------[CVE Impact Other]Run Arbitrary Javascript code------------------------------------------[Attack Vectors]:Crafted URL------------------------------------------[Has vendor confirmed or acknowledged the vulnerability?]:true------------------------------------------[Discoverer]:Marco Nappi------------------------------------------[Reference]http://vtiger.comhttps://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22