[CVE-ID]:CVE-2024-44778 ------------------------------------------ [Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other]:Run Arbitrary Javascript code ------------------------------------------ [Attack Vectors]:Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 [CVE-ID]:CVE-2024-44779 ------------------------------------------ [Suggested description] A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information]: PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt= ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page . ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other]: Run Arbitrary JS code ------------------------------------------ [Attack Vectors] Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd [CVE-ID]:CVE-2024-44777 ------------------------------------------ [Suggested description] A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component] The "tag" parameter of vTiger CRM 7.4.0 Index page ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other] Run Arbitrary Javascript code ------------------------------------------ [Attack Vectors]:Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22