1Panel CordysCRM Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in 1Panel CordysCRM versions through 1.6.2. The issue resides in the 'RequestParamTrimConfig.java' file, where an unknown function fails to properly validate or encode user input, allowing remote exploitation. This vulnerability has been publicly disclosed and can be exploited by injecting malicious JavaScript into the announcement content, which is then executed in the browser of any user who views the announcement.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the announcement.

Reproduction

To reproduce this vulnerability, log in to CordysCRM with an account that has permission to create announcements. Navigate to the announcement creation interface and enter a payload containing JavaScript, such as an image tag with an 'onerror' event. Once the announcement is saved, the injected script will execute when the announcement is viewed by any user.

Remediation

Users are advised to upgrade to CordysCRM version 1.7.0, which addresses this vulnerability by implementing XSS protection and allowing configurable URL filtering. After upgrading, it is recommended to review and adjust the XSS filtering settings in the 'cordys-crm.properties' file as needed.