CVE-2023-45394 in Smallinfo

Summary

by MITRE • 10/25/2023

Stored Cross-Site Scripting (XSS) vulnerability in the Company field in the "Request a Quote" Section of Small CRM v3.0 allows an attacker to store and execute malicious javascript code in the Admin panel which leads to Admin account takeover.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability identified as CVE-2023-45394 represents a critical stored cross-site scripting flaw within the Small CRM v3.0 application, specifically affecting the Company field in the "Request a Quote" section. This vulnerability falls under the Common Weakness Enumeration category CWE-79, which defines stored XSS as a condition where malicious scripts are stored on the server and executed when other users access the affected application. The flaw exists in the input validation and output encoding mechanisms of the web application, allowing attackers to inject malicious javascript code that persists in the database and executes in the context of administrator sessions.

The technical implementation of this vulnerability stems from inadequate sanitization of user input in the Company field of the quote request form. When an attacker submits a malicious payload through this field, the application fails to properly validate or escape the input before storing it in the database. The stored data is then displayed in the admin panel without appropriate context-aware output encoding, creating an environment where the injected javascript code executes when administrators view the affected records. This persistence mechanism differentiates stored XSS from reflected XSS, as the malicious code remains in the application's database and affects multiple users rather than requiring a specific user interaction to trigger the attack.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to fully compromise administrator accounts within the Small CRM system. Once an attacker successfully injects malicious code, they can leverage the elevated privileges of the admin session to perform unauthorized actions including but not limited to modifying user permissions, accessing sensitive customer data, altering business records, and potentially establishing persistent backdoors within the application. The vulnerability creates a direct path for privilege escalation attacks, as the injected scripts can access the full session context and execute with administrative privileges, making this a particularly dangerous flaw in a customer relationship management system.

Security mitigation strategies for CVE-2023-45394 must address both immediate remediation and long-term prevention measures. The primary fix involves implementing comprehensive input validation and output encoding mechanisms specifically targeting the Company field and similar user-input areas within the application. This includes employing context-appropriate encoding for html, javascript, and other potentially dangerous characters, as well as implementing strict input validation rules that reject or sanitize malicious payloads before storage. Additionally, the application should implement proper content security policies and utilize secure coding practices that align with the ATT&CK framework's mitigation recommendations for web application vulnerabilities. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent similar injection attacks, while conducting regular security assessments to identify and remediate other potential vulnerabilities in the application's codebase.

Reservation

10/09/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00359

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!