| Title | krayin laravel-crm <=2.2 Stored Cross-Site Scripting (XSS) |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability exists in Krayin Laravel CRM ≤ 2.2 within the Notes field of the Contacts → Persons module.
The application fails to properly sanitize or encode user-supplied input before storing and rendering it. As a result, attackers can inject malicious HTML, CSS, and JavaScript payloads into the Notes field, which are persistently stored in the database.
When the affected record is viewed, the injected payload is executed in the browser of all users accessing the record, including privileged users such as administrators.
This vulnerability enables attackers to perform malicious actions such as:
Session hijacking
Credential theft
Unauthorized actions on behalf of victims
UI manipulation and phishing attacks
Since the payload is stored and executed across multiple users, this issue represents a high-impact stored XSS affecting all users of the system. |
|---|
| Source | ⚠️ https://github.com/krayin/laravel-crm/issues/2419 |
|---|
| User | DineshrajanSv (UID 96525) |
|---|
| Submission | 04/04/2026 09:39 (12 days ago) |
|---|
| Moderation | 04/12/2026 21:09 (8 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 354756 [krayin laravel-crm up to 2.2 Activities Module/Notes inbox.spec.ts composeMail cross site scripting] |
|---|
| Points | 0 |
|---|