Vtiger CRM Open Source Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Vtiger CRM Open Source Edition version 8.3.0. This vulnerability arises in the 'Services Import' feature, where an attacker can upload a CSV file containing an XSS payload mapped to the 'Service Name' field. The application fails to properly sanitize this input, allowing for persistent execution of scripts. When the infected service record is viewed by any user, including administrators, the XSS payload is triggered, executing arbitrary JavaScript in the victim's browser. Additionally, Vtiger CRM does not apply the HttpOnly flag to authentication cookies, leaving session tokens vulnerable to theft and potentially allowing hijacking of administrator accounts.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, with the XSS payload executing in the context of the user viewing the imported service record. This vulnerability also exposes authentication cookies to client-side scripts, enabling theft of session tokens and hijacking of administrator accounts.

Reproduction

To reproduce this vulnerability, create a CSV file with an XSS payload in the 'Service Name' field. Log into Vtiger CRM and navigate to 'Inventory' > 'Services', then click 'Import'. Select the crafted CSV file and proceed to the field mapping section. Map the 'Service Name' field and complete the import. The XSS payload will be executed when the imported service record is viewed.