Krayin Laravel CRM Cross-Site Scripting Vulnerability in Activities Module Notes

A stored cross-site scripting vulnerability has been identified in Krayin Laravel CRM versions up to 2.2. The issue resides in the Activities Module/Notes Module, specifically within the 'composeMail' function of the 'packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts' file. This vulnerability allows for the injection of malicious JavaScript that is executed when the content is viewed by other users, including administrators. The problem stems from improper handling of user input in the Notes field, which accepted and rendered unsafe HTML, CSS, and JavaScript. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the Notes, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log into Krayin CRM as an authenticated user and navigate to the Contacts → Persons module. Create or open a Person record, go to the Notes section, and add a note containing crafted HTML, CSS, or JavaScript, such as a script tag with JavaScript code or a style tag with CSS instructions. Save the note and refresh the page or view the record as another user, including an admin, to see the injected content executed or styled as intended.

Remediation

Users are advised to update to the latest version of Krayin Laravel CRM, where this vulnerability has been fixed.