Webkul Krayin CRM Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in Webkul Krayin CRM version 2.1.5. The issue arises because the application does not properly sanitize user input in the comment field during Activity creation on the /admin/activities/create endpoint. This lack of input validation allows for the injection of malicious HTML or scripts, which can be executed in the browsers of users with higher privileges, such as administrators or managers.

Impact

Exploitation of this vulnerability allows for the execution of malicious scripts in the browsers of users who view the affected activity records. This could lead to the theft of session cookies and authentication information, account hijacking, and unauthorized access to sensitive CRM data, including customer and sales information.

Reproduction

To reproduce this vulnerability, create an activity record in Krayin CRM, such as a 'Call' or 'Meeting'. In the description field, enter a string that includes HTML tags. Once the activity is saved, navigate to the admin panel or activity details page to see the injected HTML rendered without proper escaping, confirming the presence of a stored Cross-Site Scripting vulnerability.

Remediation

Users of Webkul Krayin CRM should update to version 2.1.6, where this vulnerability has been fixed. After updating, it is recommended to review existing activity records for any injected HTML or scripts that could still pose a risk.