CVE-2023-3754

Name of the Vulnerable Software and Affected Versions Creativeitem Ekushey Project Manager CRM version 5.0

Description A problematic vulnerability was found in the software, affecting an unknown function of the file /index.php/client/message/message read/xxxxxxxx[random-msg-hash]. The manipulation of the message argument leads to cross-site scripting. It is possible to launch the attack remotely. The vendor was contacted about this disclosure but did not respond.

Recommendations For version 5.0, as a temporary workaround, consider restricting access to the /index.php/client/message/message read/xxxxxxxx[random-msg-hash] endpoint until a patch is available. Avoid using the message argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.