Webkul Krayin CRM Cross-Site Scripting Vulnerability in SVG File Handler

A cross-site scripting (XSS) vulnerability has been identified in Webkul Krayin CRM versions through 2.1.0. The issue arises in the user management module, specifically within the file upload functionality that handles SVG files. The vulnerability allows remote attackers to inject malicious scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, a low-privileged user can upload a malicious SVG file containing embedded JavaScript into the CRM. Once the file is uploaded, the user can send an email to an admin with the SVG file attached. When the admin opens the SVG file, the JavaScript executes, harvesting the admin's XSRF-TOKEN cookie. This cookie can then be used to forge a POST request to the CRM's user management endpoint, changing the admin's password and allowing the attacker to gain full admin access.