PHPGurukul Small CRM Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Small CRM version 4.0. The issue resides in the registration module, specifically within the 'username' field of the '/registration.php' file. This vulnerability allows for the injection of persistent JavaScript payloads that are executed in the context of the administrator's browser session. The injected scripts can be used to steal session cookies and authentication tokens, perform unauthorized actions with elevated privileges, deliver phishing or malware through the admin panel, and potentially compromise CRM data or lead to a system takeover.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the administrator's browser, with the potential to steal session cookies and authentication tokens, perform unauthorized actions with elevated privileges, deliver phishing or malware via the admin panel, and compromise CRM data or lead to a system takeover.

Reproduction

To reproduce this vulnerability, register a new user through the '/crm/registration.php' page, injecting a JavaScript payload into the 'username' field. Once the user is registered, the payload will be executed when an administrator views the user management page.

Remediation

It is recommended to apply output encoding to user inputs before rendering them in the HTML context of admin pages. Additionally, input validation and sanitization should be implemented to allow only safe characters, rejecting or sanitizing any malicious patterns.