CVE-2021-33849

Name of the Vulnerable Software and Affected Versions: Zoho CRM Lead Magnet version 1.7.2.4

Description: A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets the application's users and not the application itself, using the application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form.

Recommendations: For Zoho CRM Lead Magnet version 1.7.2.4, consider disabling the functionality that allows users to change form values or delete created forms until a patch is available. Restrict access to the affected forms to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.