XSS vulnerability at Note function. #1701

KevinKien · 2024-10-30T04:56:08Z

When i click to note function and commend with payload "2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>"

After save note will pop up such as image bellow.

Any one when access to url https://demo.krayincrm.com/krayin-42-112-15-238/admin/leads/view/24, pop up will show cho this user.

Recommended: You should validate input for note, don't allow insert special characters or html encode special characters.

The text was updated successfully, but these errors were encountered:

suraj-webkul · 2024-10-30T10:18:00Z

Hello, @KevinKien,

Thank you for addressing this issue. We appreciate the fix provided in PR #1675 and your prompt response.

ashishkumar-webkul · 2025-01-07T07:53:23Z

@KevinKien

The issue has been checked and found to be fixed. It is now working fine. The fix will be included in the upcoming release, and we will update you accordingly.

For now, you can refer to the video for a demonstration of the resolved issue.

Video Link:

XSS.1.mp4

KevinKien · 2025-01-07T08:03:52Z

Thank @ashishkumar-webkul, I see on video this issue has fixed. And Could you please assign CVE ID for this vulnerability. Thank you,

…

________________________________ From: Ashish Kumar Bhai ***@***.***> Sent: Tuesday, January 7, 2025 2:53 PM To: krayin/laravel-crm ***@***.***> Cc: Kevin Kien ***@***.***>; Mention ***@***.***> Subject: Re: [krayin/laravel-crm] XSS vulnerability at Note function. (Issue #1701) @KevinKien<https://github.com/KevinKien> The issue has been checked and found to be fixed. It is now working fine. The fix will be included in the upcoming release, and we will update you accordingly. For now, you can refer to the video for a demonstration of the resolved issue. Video Link: https://github.com/user-attachments/assets/07d1bcba-1e61-4f62-b516-cc1b6de75735 — Reply to this email directly, view it on GitHub<#1701 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACMXCJ2GEBEEZOUKE5NBRPT2JOBYTAVCNFSM6AAAAABQ3JI26CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGYYDMNBVGI>. You are receiving this because you were mentioned.Message ID: ***@***.***>

ashishkumar-webkul · 2025-01-15T07:09:57Z

I have checked and Found that the issue has been fixed and working fine now. Please check the video for reference.

Video

Note.mp4

suraj-webkul added the Bug Fixed label Oct 30, 2024

devansh-webkul added Bug Fix Proposed and removed Bug Fixed labels Nov 7, 2024

devansh-webkul added Bug Fixed and removed Fix Proposed labels Jan 15, 2025

devansh-webkul closed this as completed Jan 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS vulnerability at Note function. #1701

XSS vulnerability at Note function. #1701

KevinKien commented Oct 30, 2024

suraj-webkul commented Oct 30, 2024

ashishkumar-webkul commented Jan 7, 2025

KevinKien commented Jan 7, 2025 via email •

edited

Loading

ashishkumar-webkul commented Jan 15, 2025

XSS vulnerability at Note function. #1701

XSS vulnerability at Note function. #1701

Comments

KevinKien commented Oct 30, 2024

suraj-webkul commented Oct 30, 2024

ashishkumar-webkul commented Jan 7, 2025

KevinKien commented Jan 7, 2025 via email • edited Loading

ashishkumar-webkul commented Jan 15, 2025

KevinKien commented Jan 7, 2025 via email •

edited

Loading