CVE-2018-9283

Name of the Vulnerable Software and Affected Versions CremeCRM version 1.6.12

Description A stored Cross-Site Scripting (XSS) issue was found, affecting the contact creation and modification page. The issue is related to the firstname, lastname, billing address-address, billing address-zipcode, billing address-city, billing address-department, shipping address-address, shipping address-zipcode, shipping address-city, and shipping address-department parameters. The payload is stored in the application database, allowing the execution of JavaScript code when a client visits an infected page.

Recommendations For CremeCRM version 1.6.12, as a temporary workaround, consider restricting the use of the contact creation and modification page until a patch is available. Avoid using the parameters firstname, lastname, billing address-address, billing address-zipcode, billing address-city, billing address-department, shipping address-address, shipping address-zipcode, shipping address-city, and shipping address-department in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.