Описание
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Ссылки
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:energycrm:energy_crm:2025:*:*:*:*:*:*:*
EPSS
Процентиль: 17%
0.00053
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
4 месяца назад
Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload.
EPSS
Процентиль: 17%
0.00053
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79