1Panel CordysCRM Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in 1Panel CordysCRM versions through 1.4.1. The issue arises in the ModuleFormController component, specifically within the Save function of the ModuleFormService.java file. The vulnerability allows remote attackers to inject malicious scripts by manipulating the Description argument, which is not properly validated before being saved. This injected script is executed when the form is accessed, leading to a cross-site scripting attack.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected form.

Reproduction

To reproduce this vulnerability, access the form settings interface for editing tracking records. Enter a payload, such as an image tag with an error event, into the description field. Once the payload is saved, it will execute automatically when the form is reopened, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to CordysCRM version 1.7.0, which includes a patch for this vulnerability. After upgrading, configure the XSS protection feature in the 'cordys-crm.properties' file to specify which URLs require filtering.