| Title | PHPGurukul Small CRM in PHP 4 Cross Site Scripting |
|---|
| Description | A security assessment of the *Small CRM in PHP V4.0* revealed multiple stored Cross-Site Scripting (XSS) vulnerabilities in different modules:
1. Registration Module → User Management
- Input: /crm/registration.php (username field)
- Trigger: /crm/admin/manage-users.php when the admin views registered users.
2. Ticket Module → Ticket Management
- Input: /crm/create-ticket.php (ticket details field)
- Trigger: /crm/admin/manage-tickets.php when the admin views submitted tickets.
3. Quote Module → Quote Details
- Input: /crm/get-quote.php (quote query field)
- Trigger: /crm/admin/quote-details.php?id=<id> when the admin views quote details.
All three issues stem from missing output encoding, enabling unauthenticated attackers to inject persistent JavaScript payloads that are executed in the context of the administrator’s browser session. |
|---|
| Source | ⚠️ https://github.com/YoSheep/cve/blob/main/PHPGurukul%20Small%20CRM%20in%20PHP%20V4.0%20Multiple%20Stored%20Cross-Site%20Scripting%20(XSS)%20Vulnerabilities.md |
|---|
| User | YoSheep (UID 88465) |
|---|
| Submission | 08/26/2025 19:53 (10 months ago) |
|---|
| Moderation | 09/02/2025 14:31 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 322181 [PHPGurukul Small CRM 4.0 /registration.php Username cross site scripting] |
|---|
| Points | 20 |
|---|