Vtiger CRM HTML Injection Vulnerability in Dashboard Module

A HTML injection vulnerability has been identified in the Dashboard module of Vtiger CRM version 8.4.0. The issue arises because the application does not adequately sanitize user-supplied input in the 'tabid' parameter of the 'DashBoardTab' view, specifically during the 'getTabContents' action. This lack of proper input validation allows attackers to inject arbitrary HTML into the dashboard interface, which is then rendered in the victim's browser. Such exploitation could lead to manipulation of the user interface and potential phishing attacks.

Impact

Exploitation of this vulnerability could result in unauthorized HTML being injected and executed in the context of the user's browser, allowing for manipulation of the dashboard interface and the possibility of conducting phishing attacks.

Reproduction

To reproduce this vulnerability, navigate to the 'DashBoardTab' view and include a crafted 'tabid' parameter that contains unescaped HTML, such as a div element styled to cover the screen. The injected HTML will be rendered on the page, overlaying the legitimate interface.