A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting.
The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue.
Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
Passive
Minimal interaction
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 6
https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e8927301249…
cna@vuldb.com
https://github.com/Stolichnayer/Horilla-CRM-Stored-XSS
cna@vuldb.com
https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3
cna@vuldb.com
https://vuldb.com/?ctiid.347408
cna@vuldb.com
https://vuldb.com/?id.347408
cna@vuldb.com
https://vuldb.com/?submit.757314
cna@vuldb.com