Unknown · Rukovoditel Crm · CVE-2026-31845
Name of the Vulnerable Software and Affected Versions
Rukovoditel CRM versions 3.6.4 and earlier
Description
A reflected cross-site scripting (XSS) issue exists in the Zadarma telephony API endpoint ('/api/tel/zadarma.php'). The application reflects user-supplied input from the `zd echo` GET parameter into the HTTP response without proper sanitization. The vulnerable code directly outputs the value of the `zd echo` parameter using the `exit()` function. An unauthenticated attacker can exploit this by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.
Recommendations
Update to version 3.7 or later, which includes proper input validation and output encoding to prevent script injection.