| 제목 | Krayin Laravel CRM <= 2.1 (before patch in PR #2466) Cross Site Scripting (Stored XSS) – CWE-79 |
|---|
| 설명 | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Activities / Notes module of Krayin Laravel CRM.
The application previously rendered user-supplied activity comments and notes using dynamic HTML rendering (v-html / v-safe-html) in Vue.js components. Because input was not properly escaped, attackers could store malicious JavaScript payloads which would execute whenever the content was viewed.
This allows an authenticated attacker to inject arbitrary JavaScript that executes in the browser of other users accessing the affected record.
The issue was fixed by removing unsafe HTML rendering and switching to escaped Vue interpolation, ensuring user input is rendered as plain text. |
|---|
| 원천 | ⚠️ https://github.com/krayin/laravel-crm/pull/2466 |
|---|
| 사용자 | DineshrajanSv (UID 96525) |
|---|
| 제출 | 2026. 03. 17. AM 08:03 (21 날 ago) |
|---|
| 모더레이션 | 2026. 04. 01. PM 08:56 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354756 [krayin laravel-crm 까지 2.2 Activities Module/Notes inbox.spec.ts composeMail 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|