CVE-2018-14396

Name of the Vulnerable Software and Affected Versions Creme CRM version 1.6.12

Description An issue was discovered in the salesman creation page, which is affected by stored cross-site scripting vulnerabilities. The vulnerable parameters include firstname, lastname, billing address-address, billing address-zipcode, billing address-city, billing address-department, shipping address-address, shipping address-zipcode, shipping address-city, and shipping address-department.

Recommendations For Creme CRM version 1.6.12, consider restricting the use of the vulnerable parameters until a patch is available. As a temporary workaround, avoid using the parameters firstname, lastname, billing address-address, billing address-zipcode, billing address-city, billing address-department, shipping address-address, shipping address-zipcode, shipping address-city, and shipping address-department in the salesman creation page to minimize the risk of exploitation.