Hi, I found this issues in ZurmoCRM. All issues are reported in their github.
1.- Html Injection - If you create a Product, list, etc. with this name: <h1>injection</h1>[image: Imágenes integradas 1] - When you go to preview page (in this case products), you can see the injection: [image: Imágenes integradas 2] 2.- Information Disclosure When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM: /index.php/designer/default/ modulesMenu?moduleClassName=%00 [image: Imágenes integradas 3] 3.- XSS When you create a list in the "check list" field you can insert a XSS code: index.php/tasks/default/list# [image: Imágenes integradas 4] All issues are reported: https://github.com/zurmo/Zurmo/issues You can test this issues in the demo page: http://demo.zurmo.com/demos/stable/app/index.php/zurmo/default/login Regards. ---- Sergio Galán aka @NaxoneZ
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
