CodeCanyon CRMGo SaaS Vulnerability: Remote Cross-Site Scripting Exploit Disclosed
CVE-2024-9031

5.4MEDIUM

Key Information:

Vendor: Codecanyon
Status: Crmgo Saas
Vendor: CVE Published:; 20 September 2024

Badges

👾 Exploit Exists

What is CVE-2024-9031?

A cross-site scripting flaw has been identified in the CodeCanyon CRMGo SaaS application, specifically in versions up to 7.2. This vulnerability arises from improper processing of the file path /project/task/{task_id}/show. Attackers are able to exploit this flaw by manipulating the comment argument, potentially allowing for the execution of malicious scripts in the context of a user's session. With the exploit disclosed to the public, remote attackers could leverage this issue to compromise user data or perform additional malicious actions on affected systems.

Affected Version(s)

CRMGo SaaS 7.0

CRMGo SaaS 7.1

CRMGo SaaS 7.2

References

https://vuldb.com/?id.278201

vdb-entrytechnical-description

https://vuldb.com/?ctiid.278201

signaturepermissions-required

https://vuldb.com/?submit.410565

third-party-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 20, 2024
👾
Exploit known to exist
Sep 20, 2024
Vulnerability published
Sep 20, 2024
Vulnerability Reserved
Sep 20, 2024

Credit

Jobyer Ahmed

suffer (VulDB User)

CVE-2024-9031 Data

JSON

Codecanyon