Rukovoditel CRM Reflected Cross-Site Scripting Vulnerability in Zadarma API Endpoint

A reflected cross-site scripting vulnerability has been identified in Rukovoditel CRM versions through 3.6.4. The issue resides in the Zadarma telephony API endpoint, where user-supplied input from the 'zd_echo' GET parameter is echoed back in the response without proper sanitization or encoding. This vulnerability allows unauthenticated attackers to inject JavaScript payloads that execute in the context of the user's browser, potentially leading to session hijacking, credential theft, phishing, account takeover, or even remote code execution, according to the source.

Impact

Exploitation of this vulnerability allows for session hijacking by stealing admin session cookies, leading to unauthorized access. This can result in full account takeover, especially when combined with a cookie hash leak, permanently compromising accounts. Additionally, the vulnerability could be used for phishing by rendering fake login forms to steal credentials, distributing malware by redirecting users to malicious payloads, or as a chain to achieve remote code execution by stealing an admin session to access a Custom PHP module and execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a request to the Zadarma API endpoint with a crafted 'zd_echo' parameter that includes JavaScript payloads. When the link is visited, the injected script executes in the context of the user's browser. This can be done without logging in, and the exploitation can be demonstrated by injecting a script that, for example, alerts a message or steals a session cookie.

Remediation

Users can upgrade to Rukovoditel CRM version 3.7 or later, which includes proper input validation and output encoding to prevent script injection. Instructions for downloading the latest version are available on the Rukovoditel website.