Vulnerability CVE-2017-18004


Published: 2017-12-31

Description:
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Zurmo
Product: Zurmo crm 
Version: 3.2.3;

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://bitbucket.org/zurmo/zurmo/issues/436/to-report-a-xss-security-vulnerability-in

Related CVE
CVE-2017-16569
An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an http: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
CVE-2017-15039
Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a data: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
CVE-2017-7188
Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.
CVE-2015-5365
Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "What's going on?" profile field.

Copyright 2018, cxsecurity.com

 

Back to Top