CVE-2023-52265 in IDURAR
Summary
by MITRE • 12/31/2023
IDURAR (aka idurar-erp-crm) through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/20/2025
The vulnerability identified as CVE-2023-52265 affects IDURAR ERP CRM version 2.0.1 and earlier, representing a critical stored cross-site scripting flaw that enables attackers to execute malicious scripts within the application's context. This vulnerability specifically manifests when the application processes PATCH requests containing crafted JSON email templates through the /api/email/update endpoint, allowing persistent malicious code execution against unsuspecting users who interact with affected email templates.
The technical flaw resides in the application's insufficient input validation and output sanitization mechanisms within the email template update functionality. When a malicious actor submits a crafted JSON payload through the PATCH request method to the designated API endpoint, the system fails to properly sanitize user-supplied data before storing it in the database. This stored data is subsequently retrieved and rendered without adequate protection against script injection, creating a persistent XSS vulnerability that affects all users who view the compromised email templates. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws, specifically addressing the improper handling of untrusted data in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to hijack user sessions, steal sensitive information, perform unauthorized actions on behalf of victims, and potentially escalate privileges within the application. An attacker could craft malicious email templates containing JavaScript payloads that execute when users view their email communications, leading to session hijacking, data exfiltration, or redirection to malicious sites. The persistent nature of stored XSS means that the vulnerability remains active until the malicious content is removed from the database, making it particularly dangerous for business applications handling sensitive customer data.
Mitigation strategies should include immediate implementation of proper input validation and output encoding mechanisms, particularly for all user-supplied data within email template functionality. The application should sanitize and escape all JSON data before storage, implementing Content Security Policy headers to restrict script execution, and conducting regular security audits of all API endpoints that handle user input. Organizations should also consider implementing web application firewalls to detect and block suspicious PATCH requests, while ensuring proper access controls and authentication measures are in place to limit the scope of potential exploitation. This vulnerability aligns with ATT&CK technique T1566.001 which covers spearphishing attachments, as the malicious email templates could serve as delivery mechanisms for further attacks within the target environment.