ZurmoCRM 3.0.5 Multiple issues

2015.12.01

Credit: NaxoneZ

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Hi,
I found this issues in ZurmoCRM. All issues are reported in their github.
1.- Html Injection
If you create a Product, list, etc. with this name: <h1>injection</h1>Imágenes integradas 1
When you go to preview page (in this case products), you can see the injection: Imágenes integradas 2
2.- Information Disclosure
When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM: /index.php/designer/default/modulesMenu?moduleClassName=%00
3.- XSS
When you create a list in the "check list" field you can insert a XSS code:
index.php/tasks/default/list#
All issues are reported:
https://github.com/zurmo/Zurmo/issues
Regards.

References:

https://github.com/zurmo/Zurmo/issues

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ZurmoCRM 3.0.5 Multiple issues

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.