Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11245
HistoryJan 31, 2006 - 12:00 a.m.

BrowserCRM vulnerable for XSS

2006-01-3100:00:00
vulners.com
9
JSON

Inputs in the BrowserCRM is not properly sanitized, and XSS is possible in a lot of the systems input
fields and url parameters.

Some fields have been filtered in a basic form, so that simple scripting like
"<script>alert('XSS')</script>" is not possible. Howevere, since the filtering is not based on white listing
you can conduct successful XSS attacks with code like "<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>".

PoC:
http://www.SITE.example/modules/Search/results.php?query=&#37;3CIMG+SRC&#37;3Djavascript&#37;3Aalert&#37;28String.fromCharCode&#37;2888&#37;2C83&#37;2C83&#37;29&#37;29&#37;3E

Vendors site:http://www.browsercrm.com/

Please credit to: Preben Nylшkken

JSON