Horilla CRM Cross-Site Scripting Vulnerability in Leads Module
Vulnerability
A stored cross-site scripting vulnerability has been identified in Horilla CRM versions prior to 1.0.3. The issue resides in the Leads module, specifically within the Notes and Attachment functionality. The application fails to properly sanitize user input in the Notes field, allowing authenticated attackers to inject malicious JavaScript. This injected script is executed when the note is viewed or edited by other users.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users interacting with the affected notes.
Reproduction
To reproduce this vulnerability, navigate to the Leads module and select an existing lead. Go to the Notes and Attachment section and add a new note. In the Notes field, enter a title and manually type a script injection payload, such as an image tag with an 'onerror' event. After saving the note, the injected script will execute when the note is edited.
Remediation
Users are advised to upgrade to Horilla CRM version 1.0.3, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.