CVE-2018-8047

Name of the Vulnerable Software and Affected Versions: vtiger CRM versions prior to 7.0.1

Description: The issue is a reflected Cross-Site Scripting (XSS) vulnerability that could allow remote unauthenticated attackers to inject arbitrary web script or HTML via the "index.php?module=Contacts&view=List" API endpoint, specifically using the app parameter. This allows attackers to potentially execute malicious scripts on the victim's browser.

Recommendations: For versions prior to 7.0.1, consider disabling access to the "index.php?module=Contacts&view=List" API endpoint until a patch is available. As a temporary workaround, restrict the use of the app parameter in this endpoint to minimize the risk of exploitation.