Primary

Context

BusinessNext CRMnext Arbitrary Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in BusinessNext CRMnext version 10.8.3.0. The issue arises in the Applications Page, where the comments input parameter can be manipulated to execute arbitrary code. This vulnerability requires authentication, as it can only be exploited by users with access to the Applications Page.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, log in to CRMnext with a valid account. Navigate to the Applications Page and either modify an existing application or submit a new one. Inject the payload into the comments section and submit the request. The page content will be updated without proper validation, indicating that the injected code has been executed.

Added: Oct 30, 2025, 5:22 PM

Updated: Oct 30, 2025, 7:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BusinessNext CRMnext Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating