CVE-2011-5214
Description
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
BrowserCRM 5.100.1 - 'clients.php' Cross-Site Scripting
BrowserCRM 5.100.1 - 'framed' Cross-Site Scripting
BrowserCRM 5.100.1 - 'login[]' Cross-Site Scripting
BrowserCRM 5.100.1 - URI Cross-Site Scripting
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| browsercrm | browsercrm | {"endIncluding":"5.100.01"} | |
| browsercrm | browsercrm | 4.604.01 | |
| browsercrm | browsercrm | 4.605.00 | |
| browsercrm | browsercrm | 4.607.00 | |
| browsercrm | browsercrm | 4.610.00 | |
| browsercrm | browsercrm | 4.611.01 | |
| browsercrm | browsercrm | 4.612.00 | |
| browsercrm | browsercrm | 4.614.00 | |
| browsercrm | browsercrm | 4.615.10 | |
| browsercrm | browsercrm | 4.615.11 | |
| browsercrm | browsercrm | 4.616.00 | |
| browsercrm | browsercrm | 4.617.00 | |
| browsercrm | browsercrm | 4.619.00 | |
| browsercrm | browsercrm | 4.620.01 | |
| browsercrm | browsercrm | 4.622.00 | |
| browsercrm | browsercrm | 4.624.00 | |
| browsercrm | browsercrm | 4.624.01 | |
| browsercrm | browsercrm | 4.624.50 | |
| browsercrm | browsercrm | 4.624.60 | |
| browsercrm | browsercrm | 4.624.70 | |
| browsercrm | browsercrm | 4.624.80 | |
| browsercrm | browsercrm | 4.624.90 | |
| browsercrm | browsercrm | 4.691.01 | |
| browsercrm | browsercrm | 4.999.20 | |
| browsercrm | browsercrm | 5.000.00 | |
| browsercrm | browsercrm | 5.000.01 | |
| browsercrm | browsercrm | 5.001.00 | |
| browsercrm | browsercrm | 5.002.00 | |
| browsercrm | browsercrm | 5.100.00 | |
References
- http://osvdb.org/77728
- http://osvdb.org/77729
- http://osvdb.org/77730
- http://osvdb.org/77731
- http://osvdb.org/77732
- http://secunia.com/advisories/47217
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71827
- https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_browser_crm.html
- http://osvdb.org/77728
- http://osvdb.org/77729
- http://osvdb.org/77730
- http://osvdb.org/77731
- http://osvdb.org/77732
- http://secunia.com/advisories/47217
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71827
- https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_browser_crm.html
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.