CVE-2023-40809 in OpenCRXinfo

Summary

by MITRE • 11/18/2023

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2023-40809 affects OpenCRX version 520 which is a customer relationship management platform implementing the open source crm specification. This particular flaw manifests as an html injection vulnerability within the Activity Search Criteria functionality, specifically when processing the Activity Number field. The issue arises from inadequate input validation and sanitization mechanisms that fail to properly filter user-supplied data before incorporating it into web responses. When users enter malicious html content into the Activity Number search parameter, this content can be rendered in the application interface without proper escaping or encoding, creating a potential vector for cross-site scripting attacks.

The technical implementation of this vulnerability stems from the application's failure to enforce proper output encoding when displaying search criteria results. According to CWE-79, this represents a classic cross-site scripting vulnerability where untrusted data flows from the input layer through the application processing to the output layer without appropriate sanitization. The flaw occurs during the activity search process where the system retrieves user input for the Activity Number field and directly incorporates it into html responses without proper html entity encoding or context-appropriate sanitization. This creates a scenario where malicious actors can inject html tags, javascript payloads, or other malicious content that gets executed in the context of other users' browsers who view the search results.

The operational impact of this vulnerability extends beyond simple html injection as it provides attackers with potential access to sensitive user data and session information. When successful, this vulnerability allows for the execution of arbitrary javascript code within the victim's browser context, potentially leading to session hijacking, data exfiltration, or further exploitation of the application. Attackers could craft malicious activity numbers containing javascript payloads that would execute whenever other users view the search results, creating a persistent threat vector that could affect multiple users within the system. The vulnerability particularly impacts users who have administrative privileges or access to sensitive customer data, as these individuals would be more attractive targets for such attacks.

Mitigation strategies for CVE-2023-40809 should focus on implementing comprehensive input validation and output encoding mechanisms throughout the OpenCRX application. The primary remediation involves ensuring that all user-supplied input within the Activity Search Criteria is properly sanitized and encoded before being rendered in html contexts. This includes implementing proper html entity encoding for all dynamic content and establishing strict input validation rules that reject or filter out potentially malicious characters. Organizations should also consider implementing content security policies to prevent the execution of unauthorized scripts, as well as regular security testing including dynamic application security testing to identify similar vulnerabilities. According to ATT&CK technique T1566.001, this vulnerability could be exploited through spearphishing with embedded attachments, making it critical to implement proper input validation at all user-facing interfaces. The fix should involve updating the OpenCRX application to version 5.2.1 or later where this vulnerability has been addressed through proper input sanitization and output encoding mechanisms.

Reservation

08/22/2023

Disclosure

11/18/2023

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00463

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!