A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting.
Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153.
To fix this issue, it is recommended to deploy a patch.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
Passive
Minimal interaction
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products
krayin:laravel-crm
References 7
https://vuldb.com/vuln/354756
VDB-354756 | krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting
https://vuldb.com/vuln/354756/cti
VDB-354756 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/submit/781666
Submit #781666 | Krayin Laravel CRM <= 2.1 (before patch in PR #2466) Cross Site Scripting (Stored XSS) – CWE-79
https://github.com/krayin/laravel-crm/issues/2419
NVD
https://github.com/krayin/laravel-crm/pull/2466
NVD
https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af…
NVD
https://github.com/krayin/laravel-crm/
NVD