Horilla-opensource Horilla: Leads Module Can Be Tricked into Running Malicious Code

Summary

An attacker can exploit a weakness in the Leads Module of Horilla-opensource Horilla, potentially allowing them to inject malicious code into user browsers. This can happen when a user interacts with a specially crafted webpage. To fix the issue, we recommend updating to version 1.0.3 of Horilla-opensource Horilla.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
horilla	horilla	<= 1.0.3	–

Original title

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argum...

Original description

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.

nvd CVSS2.0 4.0

nvd CVSS3.1 5.4

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

CWE-94 Code Injection

https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e89273012491... Patch
https://github.com/Stolichnayer/Horilla-CRM-Stored-XSS Exploit Third Party Advisory
https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3 Release Notes
https://vuldb.com/?ctiid.347408 Permissions Required VDB Entry
https://vuldb.com/?id.347408 Third Party Advisory VDB Entry
https://vuldb.com/?submit.757314 Third Party Advisory VDB Entry