Share
## https://sploitus.com/exploit?id=1337DAY-ID-39740
[CVE-ID]:CVE-2024-44778
------------------------------------------
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22




[CVE-ID]:CVE-2024-44779
------------------------------------------
[Suggested description]
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]:
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]:
Run Arbitrary JS code
------------------------------------------
[Attack Vectors]
Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd



[CVE-ID]:CVE-2024-44777
------------------------------------------
[Suggested description]
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
------------------------------------------
[Additional Information]
PoC:
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22
------------------------------------------
[Vulnerability Type]:Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]:vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]
The "tag" parameter of vTiger CRM 7.4.0 Index page
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[CVE Impact Other]
Run Arbitrary Javascript code
------------------------------------------
[Attack Vectors]:Crafted URL
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]
http://vtiger.com
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22

[CVE:ID]CVE-2024-44776
------------------------------------------
[Suggested description]
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
------------------------------------------
[VulnerabilityType Other]:Open Redirect
------------------------------------------
[Vendor of Product]:vTiger
------------------------------------------
[Affected Product Code Base]
vTiger CRM - 7.4.0.
------------------------------------------
[Affected Component]:Index of vTiger CRM
------------------------------------------
[Attack Type]:Remote
------------------------------------------
[Impact Information Disclosure]:true
------------------------------------------
[CVE Impact Other]:Redirect a victim to a malicious site
------------------------------------------
[Attack Vectors]:Crafted URL
-----------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]:true
------------------------------------------
[Discoverer]:Marco Nappi
------------------------------------------
[Reference]:http://vtiger.com
------------------------------------------