| शीर्षक | Horilla CRM < 1.0.3 Cross Site Scripting |
|---|
| विवरण | A Stored Cross-Site Scripting (XSS) vulnerability exists in Horilla CRM versions prior to 1.0.3. The issue affects the Notes and Attachment functionality within the Leads module.
The application does not properly sanitize or encode user-supplied input in the Notes field. Malicious JavaScript entered into the Notes section is stored in the database and later executed when the note is edited. An authenticated attacker can inject arbitrary JavaScript payloads, which execute in the context of other users viewing or editing the affected note.
Suggested CVSS 3.1:
Medium 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Fix commit:
https://github.com/horilla-opensource/horilla-crm/commit/fc5c8e55988e89273012491b5f097b762b474546
|
|---|
| स्रोत | ⚠️ https://github.com/Stolichnayer/Horilla-CRM-Stored-XSS |
|---|
| उपयोगकर्ता | alexperrakis (UID 85369) |
|---|
| सबमिशन | 12/02/2026 06:48 PM (4 महीनों पहले) |
|---|
| संयम | 23/02/2026 06:42 PM (11 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 347408 [horilla-opensource horilla तक 1.0.2 Leads global.js Notes क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|