XSS vulnerability at Note function.

[KevinKien]

When i click to note function and commend with payload "2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>"

After save note will pop up such as image bellow.

Any one when access to url https://demo.krayincrm.com/krayin-42-112-15-238/admin/leads/view/24, pop up will show cho this user.

Recommended: You should validate input for note, don't allow insert special characters or html encode special characters.

[suraj-webkul]

Hello, @KevinKien,

Thank you for addressing this issue. We appreciate the fix provided in PR #1675 and your prompt response.

[ashishkumar-webkul]

@KevinKien

The issue has been checked and found to be fixed. It is now working fine. The fix will be included in the upcoming release, and we will update you accordingly.

For now, you can refer to the video for a demonstration of the resolved issue.

Video Link:

XSS.1.mp4

[KevinKien]

Thank Ashish, I see on video this issue has fixed. And Could you please assign CVE ID for this vulnerability. Thank you,

…

________________________________ From: Ashish Kumar Bhai ***@***.***> Sent: Tuesday, January 7, 2025 2:53 PM To: krayin/laravel-crm ***@***.***> Cc: Kevin Kien ***@***.***>; Mention ***@***.***> Subject: Re: [krayin/laravel-crm] XSS vulnerability at Note function. (Issue #1701) @KevinKien<https://github.com/KevinKien> The issue has been checked and found to be fixed. It is now working fine. The fix will be included in the upcoming release, and we will update you accordingly. For now, you can refer to the video for a demonstration of the resolved issue. Video Link: https://github.com/user-attachments/assets/07d1bcba-1e61-4f62-b516-cc1b6de75735 — Reply to this email directly, view it on GitHub<#1701 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACMXCJ2GEBEEZOUKE5NBRPT2JOBYTAVCNFSM6AAAAABQ3JI26CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZUGYYDMNBVGI>. You are receiving this because you were mentioned.Message ID: ***@***.***>